An attacker spent $4.4 million to acquire 1 percent of BONK tokens, passing a malicious proposal to drain $20 million from the treasury.
A Solana-based memecoin project, BONK, suffered a $20 million treasury drain after an attacker exploited its onchain governance system. The attacker spent approximately $4.4 million to buy just over 1 percent of BONK’s supply, meeting the quorum threshold to pass a proposal with 99.9 percent approval. The proposal transferred the funds to a wallet controlled by the attacker, who then began selling the tokens.
The incident highlights vulnerabilities in token-based governance, where a temporary voting majority can be purchased cheaply. The attack passed through legitimate transactions, including token purchases, voting, and payout execution, raising questions about whether such actions constitute theft or exploitation of flawed rules. BONK DAO’s treasury was drained late Monday, following a week-long scheme.
This event reignites debate over the security of onchain governance, once touted as the future of decentralized community management. The low-turnout ballot allowed the attacker to become the decisive voter, underscoring risks when treasuries are subject to public votes accessible to anyone with sufficient capital.