Logo
My Crypto News AI

Crypto's Worst Week in Months: $35M Lost to Governance Attacks, Oracle Flaws, and Wallet Vulnerabilities

The week of July 5 to July 11 became one of the roughest stretches of 2026 for crypto security, with confirmed losses exceeding $35 million across three major protocol incidents, a wallet-level vulnerability, and smaller phishing attacks. The damage included a $20 million governance takeover of BonkDAO, a $6 million flash loan exploit at Summer.fi, a $9 million oracle manipulation attack on Bonzo Lend, and over $5 million in thefts from wallets with weak randomness in their seed phrase generation.

How Did Attackers Drain $20 Million From BonkDAO Without Hacking Any Code?

BonkDAO, the community governance body behind Solana's BONK memecoin, suffered the week's largest loss on July 6 when an attacker drained approximately $20 million from the treasury using the DAO's own voting system. The attacker did not exploit a software vulnerability; instead, they accumulated roughly $4 million worth of BONK tokens through exchange wallets over several days, gained a dominant share of voting power, and pushed a malicious proposal through the DAO's token-weighted governance on Solana's Realms platform.

The proposal, labeled "BIP #76 Sowellian BonkDAO," claimed it would implement new governance, install a new council, and monetize holdings. It remained live for six days without any challenge from the community. When the vote closed, wallets linked to the attacker controlled approximately 99.878% of the votes cast, with only seven addresses voting out of more than 18,000 eligible wallets. Roughly 4.426 trillion BONK tokens, worth an estimated $20 million, moved from the treasury to attacker-controlled wallets, and the attacker even renamed the DAO.

"The incident was less a hack than a takeover through weak governance rules and low voter turnout," noted Yu Xian, co-founder of SlowMist.

Yu Xian, Co-founder at SlowMist

BonkDAO confirmed the incident in an official statement on July 6, saying it had identified the exchange wallets used to purchase BONK ahead of the vote and that law enforcement had been notified. Arkham Intelligence tracking showed portions of the stolen BONK heading toward exchanges, and the BONK token fell more than 8%, deepening a decline of over 80% across the past year. As of the end of the week, BonkDAO had not confirmed that any portion of the stolen tokens had been frozen or recovered, and no compensation plan had been announced.

What Happened to Summer.fi and Bonzo Lend?

Hours before the BonkDAO news broke, multichain protocol Summer Finance was hit by a suspected flash loan exploit worth nearly $6 million on July 6. A flash loan is a type of uncollateralized loan in decentralized finance (DeFi) that must be repaid within the same transaction; attackers can use these loans to manipulate token prices and extract value from protocols. CertiK first flagged a suspicious transaction in which the attacker profited around $6 million using a roughly $65.4 million flash loan for liquidity manipulation.

PeckShield confirmed the protocol had been exploited for $6 million in DAI, a stablecoin pegged to the US dollar, and security firm Blockaid reported the funds were drained before any warnings reached users. Summer.fi responded by pausing all Lazy Summer vaults and cutting deposit caps to zero across networks. On-chain intelligence indicated the largest single victim was a wallet linked to Torben Jorgensen, co-founder of Web3 firm UDHC, who had deposited about 8.6 million USDC into the affected pool shortly before the attack. The stolen DAI was swiftly converted through Uniswap V3 pools, a decentralized exchange.

The week closed with Hedera's biggest DeFi lender, Bonzo Lend, being hacked for $9 million on July 11, with $5.25 million bridged to Ethereum. The exploit began around 00:51 UTC on July 11, when the attacker submitted a manipulated price for the SAUCE token that inflated its value by about 12 orders of magnitude. The oracle verifier, a system that confirms price data, accepted the update despite it carrying a zeroed signature rather than a valid one from the authorized committee.

Eight seconds later, the attacker used a deposit of just 250 SAUCE tokens, worth a few dollars, as collateral to borrow approximately $9.05 million. The legitimate oracle feed restored SAUCE to about 0.1964 HBAR at 01:36 UTC, and Bonzo Lend was paused five minutes later. Bonzo identified Supra as the oracle provider whose verification infrastructure accepted the invalid update, and Supra acknowledged the issue and deployed a fix to the affected verifier contract on Hedera mainnet.

How to Protect Your Wallet From Seed Phrase Vulnerabilities

Beyond protocol exploits, wallet users took direct hits during the week. Security firm Coinspect disclosed a vulnerability called Ill Bloom, rooted in how some older mobile and browser extension wallets generated recovery phrases with weak randomness, letting attackers derive the seed and drain everything it controls. A recovery phrase, also called a seed phrase or mnemonic, is a sequence of words that can be used to restore access to a cryptocurrency wallet.

Coinspect confirmed a coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, plus a further $2.1 million in USDT stolen afterward from a seed the same attacker had already compromised. As of Coinspect's July 10 update, confirmed losses had passed $5 million, and the firm called that a floor rather than a ceiling, as it kept finding more vulnerable seed phrases along other generation paths.

  • Never Enter Your Seed Phrase Online: Coinspect warned users never to enter a seed phrase into any checker or website, as this exposes the phrase to potential theft or interception.
  • Move Funds to a Hardware Wallet: If your seed phrase has been exposed, transfer your assets to a hardware wallet with a freshly generated phrase to prevent future unauthorized access.
  • Check for Vulnerability: Coinspect expanded its public checker to reflect the larger exposed set of vulnerable seed phrases, allowing users to verify whether their wallet generation method is at risk.

What Do These Incidents Reveal About Crypto Security?

The $35 million in losses during a single week underscores systemic vulnerabilities across decentralized finance and wallet infrastructure. The BonkDAO incident revealed that governance mechanisms can be compromised not through code exploits but through weak participation rules and low voter turnout. Only seven addresses voted out of more than 18,000 eligible wallets, allowing a single attacker with a dominant token position to push through a malicious proposal.

The oracle manipulation attack on Bonzo Lend exposed a critical flaw in how price data is verified. The attacker was able to submit a price update with a zeroed signature, a cryptographic marker that should have been invalid, yet the oracle verifier accepted it anyway. This allowed the attacker to borrow $9 million using a deposit worth only a few dollars as collateral.

The Ill Bloom wallet vulnerability demonstrated that even older, established wallet infrastructure can harbor fundamental flaws in how it generates the random data needed to create secure seed phrases. Weak randomness in seed phrase generation means an attacker with sufficient computing power can derive the phrase and gain full control of the wallet.

Community pressure is mounting for reforms across these areas. BonkDAO community members are calling for execution timelocks, which would delay the execution of approved proposals to allow time for review; higher quorums, which would require a larger percentage of token holders to vote; and emergency multisig controls, which would allow a group of trusted parties to pause or reverse malicious actions. Major exchanges including Upbit, Bithumb, and Kraken suspended BONK deposits and withdrawals while monitoring inflows linked to the exploit, signaling heightened vigilance across the ecosystem.