Governance Attacks Are the New Frontier: How a $4.4M Vote Unlocked BONK's $20M Treasury
Cryptocurrency attackers are shifting tactics, moving away from smart contract vulnerabilities toward a more direct approach: buying voting power in decentralized organizations to drain their treasuries. On June 30, 2026, an attacker spent approximately $4.4 million acquiring BONK tokens to gain temporary control of BONK DAO's governance system, then used that majority to approve a proposal transferring roughly $20 million from the organization's treasury to a wallet under their control.
What Exactly Happened With the BONK DAO Attack?
BONK DAO is a decentralized autonomous organization (DAO) that oversees BONK, a memecoin built on the Solana blockchain. Like most DAOs, it allows token holders to vote on proposals that automatically execute once approved. The attacker's strategy was straightforward but effective: accumulate enough BONK tokens to meet the voting threshold, submit a treasury transfer proposal, and let the DAO's smart contracts do the rest.
To pass, the proposal required support representing at least 1 percent of BONK's circulating supply. The attacker purchased BONK through major exchanges including Bybit and Binance, while also borrowing additional funds through decentralized lending platforms. The proposal ultimately passed with participation from just seven wallets, while more than 18,000 eligible members did not vote. The measure received approval by the narrowest possible margin, surpassing the required quorum with 882.38 billion BONK voting in favor against a threshold of 879.95 billion BONK.
Once approved, the DAO's smart contracts automatically executed the transaction, transferring approximately 4.43 trillion BONK tokens, worth around $20 million, to the attacker's wallet. Shortly after receiving the treasury funds, the attacker transferred around $188,000 worth of BONK to a cryptocurrency exchange, likely to begin cashing out. Approximately $19 million was moved to a multisignature wallet requiring multiple approvals before the funds can be transferred.
Why Is This Different From Traditional Hacks?
Unlike many high-profile crypto exploits that target code vulnerabilities or compromise private keys, the BONK attack followed every rule of the DAO's existing governance system. The attacker did not breach the protocol's security or manipulate its code. Every step, from purchasing tokens to casting votes and executing the treasury transfer, operated within the established rules. This distinction has reignited debate within the crypto industry over whether such incidents should be classified as hacks or governance exploits.
This shift reflects a broader trend in Web3 security. According to recent security data, wallet compromises and operational infrastructure attacks have become more costly than smart contract vulnerabilities. During the first half of 2026, wallet-related attacks generated more than $444 million across just 33 incidents, making them the most expensive attack category despite representing only a small fraction of total cases. By comparison, code vulnerabilities produced the highest number of incidents at 204, but resulted in substantially lower aggregate losses of around $151.6 million.
How to Protect DAOs From Governance Attacks
- Increase Quorum Requirements: Require a higher percentage of token holders to participate in votes, making it harder for a single actor to gain control through low voter turnout and concentrated purchases.
- Implement Time Locks: Add delays between proposal approval and execution, allowing the community time to detect and respond to suspicious governance actions before funds are transferred.
- Use Multisig Wallets for Treasury: Require multiple independent approvals before large treasury transfers execute, preventing a single governance vote from immediately draining funds.
- Monitor Voting Patterns: Track unusual token accumulation and voting behavior in real time, alerting the community to potential attacks before proposals pass.
- Establish Delegation Limits: Cap the voting power any single wallet can accumulate within a specific timeframe to prevent rapid governance takeovers.
BONK DAO has confirmed the incident and said it is working with cryptocurrency exchanges, blockchain bridges, the Solana Foundation, and law enforcement to respond to the attack. The exploit serves as a reminder that cybersecurity risks are no longer limited to software vulnerabilities. As decentralized governance becomes more common, attackers are increasingly targeting the rules that govern protocols rather than attempting to break the underlying technology.
The BONK incident suggests that, for decentralized organizations, the greatest weakness may not be the code itself, but governance models that allow anyone with enough capital to temporarily buy control over multimillion-dollar treasuries. This represents a fundamental challenge for the DAO model: how to balance accessibility and decentralization with security and protection against well-funded attackers.
The broader Web3 security landscape in 2026 shows that attacks are becoming more targeted and operationally sophisticated. The sector lost more than $1.31 billion to hacks, exploits, and scams during the first six months of 2026. While the total number of incidents remained relatively stable at 344 cases, the underlying threat model has shifted. Nearly half of all losses stemmed from just two attacks that occurred within weeks of each other in April, including the Drift Protocol exploit, which involved an administrative key compromise that enabled fraudulent collateral creation and asset withdrawals.
The BONK governance attack highlights a critical gap in how the crypto industry thinks about security. Traditional security audits focus on smart contract code, but governance attacks exploit the economic and social layers of decentralized systems. As DAOs manage increasingly large treasuries, the incentive for attackers to exploit governance mechanisms will only grow. The crypto industry must develop new frameworks for governance security that match the sophistication of code audits and operational security practices.