News · News

BonkDAO Loses Estimated $20M After Attacker Buys Voting Power for $4M and Passes Malicious Governance Proposal

An attacker spent ~$4M to buy voting power, passed a malicious governance proposal, and drained an estimated $20M from BonkDAO's treasury — no code exploit needed.

BonkDAO Loses Estimated $20M After Attacker Buys Voting Power for $4M and Passes Malicious Governance Proposal

BonkDAO has confirmed that roughly $20 million worth of BONK tokens were drained from its treasury after an attacker spent approximately $4 million to accumulate enough voting power to pass a malicious governance proposal. No smart-contract bug required. Just capital, and a governance process thin enough to let a single vote become a direct path to the funds.

S
Solana
SOL
View coin →
$78.95 3.59%
Market cap · $45.94B

The attack targeted the SSOL$78.953.59%-based memecoin’s decentralized autonomous organization, as confirmed by BonkDAO and reported by CryptoNews. The attacker didn’t hunt for a code vulnerability. They bought governance tokens, voted through a proposal authorizing the treasury drain, and exited with the funds before the community could mount a response.

The $4 million figure for the attacker’s voting-power acquisition comes from a CryptoBriefing sidebar embedded in a Galaxy Digital/CoreWeave story — not a standalone BonkDAO report. According to Binance Square reporting, the attacker funded the proposal through a centralized exchange, though the specific CEX has not been named.

The mechanics are what make this worth examining closely. CryptoSlate characterizes the root cause as DAO review controls being “too thin” — token-weighted votes could become a treasury access path without sufficient time-locks, multi-signature requirements, or human review gates to stop a malicious proposal before execution. No code was broken. The governance design itself was the vulnerability.

This is a known attack vector, and it remains badly underaddressed across the sector. An attacker acquires governance tokens — on the open market or through a CEX — builds enough voting weight, pushes through a self-serving proposal, and drains the treasury before anyone can intervene. BonkDAO is a textbook execution of that playbook. It cost the attacker $4 million to walk away with $20 million.

BonkDAO’s official confirmation matters here. This is not a rumor circulating on X or an unverified social-media claim. The drain has been acknowledged by the organization itself, which puts the $20 million figure on firm ground even as the attacker’s identity, the exact proposal language, and the specific CEX used to fund the operation remain undisclosed.

The broader framing from CryptoSlate is that this represents a “serious security fault line for memecoin treasuries” — not a one-off BonkDAO failure but a structural weakness that any token-weighted DAO with similar governance mechanics could face. Memecoin DAOs tend to launch with minimal institutional oversight and lean heavily on token-weighted voting. That combination is exposure. If a few million dollars in token purchases can unlock a $20 million treasury, the economic incentive to run the same play elsewhere is not subtle.

Market Context

The timing lands against an uncomfortable market backdrop. Solana, the chain on which BONK runs, is currently trading at $80.53, down 1.9% over the past 24 hours but up 9.88% on the week, carrying a market cap of $46.84 billion on 24-hour volume of $2.17 billion. The total crypto market cap sits at $2,269.06 billion with 24-hour volume of $74.93 billion. The Fear & Greed Index reads 20/100 — Extreme Fear — a sentiment environment that amplifies negative headlines and punishes protocols perceived as vulnerable.

A $20 million governance drain won’t move SOL’s price in isolation. But it feeds a running narrative about DAO governance failures that has shadowed the sector since early 2024, when a string of similar attacks on smaller protocols demonstrated that token-weighted voting is only as secure as the review process layered on top of it.

No Code to Patch

This attack differs from a typical smart-contract exploit in one critical respect: there is no code to patch. The vulnerability lives in the governance design — the rules governing who can propose, how long a proposal sits before execution, and whether a multi-sig or human review gate stands between a successful vote and a treasury transfer. Fixing it means changing those rules. There is no hotfix.

No remediation timeline or post-mortem has been published by BonkDAO. What is confirmed is the arithmetic: approximately $4 million in, approximately $20 million out, and a governance model exposed as insufficient to stop it.

The question sitting in front of every other memecoin DAO right now is whether this registers as a warning or as background noise. The next protocol with thin review controls and a token-weighted voting system is the obvious next target. The BonkDAO attack just proved the economics work.

Nadia Rahman

Nadia Rahman

Markets Editor · 9 years covering crypto · Author page

Nadia Rahman is CoinScoop's Markets Editor. She covers Bitcoin, macro liquidity and the spot-ETF complex, and previously reported on rates and FX for a global newswire.

Disclosure: This article is independent journalism and is for information only — it is not financial advice. CoinScoop is reader-supported and may earn a commission from some links. Read our disclosure policy →