Loading prices…
STKR NewsSTKR News0 of 3 free this month
Markets

BonkDAO loses $20 million following ‘malicious governance proposal’ attack

BonkDAO recently lost $20 million in a governance-based exploit, proving once again that trustless systems are only as secure as the human voters who oversee them.

Originally on The Block
AB

Adrian Boysel

Contributor

Jul 6, 2026

4 min read

Photo illustration / STKR News

A $20 million hole just opened up in the BonkDAO treasury. If you are a founder or a developer in the Solana ecosystem, you need to pay attention, because this wasn't a complex code exploit or a flash loan attack. It was a governance failure. Someone convinced the system to hand over the keys, and the system complied.

The Vulnerability of Consent

We talk a lot about the security of smart contracts, but we rarely talk about the security of the voters who manage them. In this case, a malicious governance proposal was pushed through, leading to the drainage of a massive amount of capital that was supposed to fund the ecosystem. This wasn't a break-in; it was a social engineering play at the institutional level.

The stolen assets have already begun their journey through the plumbing of the crypto world. Funds were tracked moving toward several centralized exchanges. This triggered a fast response from Upbit, the South Korean exchange, which immediately halted BONK deposits and withdrawals to prevent the attacker from cashing out easily. But by the time an exchange steps in, the damage to the protocol's reputation is usually done.

Why Governance Attacks Are the New Normal

For a founder, this is a nightmare scenario. You build a decentralized autonomous organization (DAO) to ensure community control, but you inadvertently create a mechanism where a small group of coordinated actors—or one very clever manipulator—can walk away with the treasury. Most DAOs suffer from low voter turnout. When participation is low, the cost to capture the vote becomes much lower than the value of the treasury itself.

We have seen this play out across various chains. If you have $100 million in a treasury and it only takes $10 million in tokens to pass a proposal, you have a structural incentive for a hostile takeover. In the case of BonkDAO, the attackers used the rules of the system to destroy the system.

  • Voter Apathy: Most token holders do not vote. This makes it easy for a minority to pass radical changes.
  • Lack of Veto Power: Without a multi-sig or a safety delay, malicious proposals can execute before anyone realizes what happened.
  • Complexity: Heavy technical jargon in proposals can hide malicious intent from the average voter.

The South Korean Connection

Upbit’s involvement is significant. South Korea is one of the most active markets for retail crypto trading, and BONK has a massive footprint there. When a major venue like Upbit closes the doors, it creates a liquidity vacuum. While it helps stop the thief, it also punishes the innocent holders who can't move their funds during the volatility.

This is the paradox of decentralization. We build these tools to be independent of central authorities, but as soon as something goes wrong, we rely on centralized exchanges to act as the police. It is a messy, inconsistent way to manage security, and it highlights the gap between the vision of DeFi and its current reality.

What Builders Must Learn

If you are currently architecting a DAO or a community-led project, take this as a warning. Your governance logic is a surface area for attack just as much as your swap logic. You cannot trust that your community will always act in their own collective best interest. People are busy, distracted, and sometimes easily fooled.

Consider implementing hard guardrails. For example, some protocols are moving toward a dual-token governance model or requiring a minimum time delay between a vote passing and the funds being released. If there was a seven-day waiting period on the BonkDAO proposal, the community might have caught the alarm before the funds hit the exchanges. Speed is the enemy of security in governance.

Separating the Meme from the Mission

Bonk started as a meme, but it grew into a legitimate force within the Solana ecosystem. It has millions in its treasury meant for developer grants, marketing, and infrastructure. When $20 million goes missing, it’s not just a loss for token holders; it’s a loss for the builders who were counting on those grants to keep their projects alive.

This attack shows that no matter how much fun a community is having, the underlying financial infrastructure must be treated with absolute seriousness. Being a meme coin doesn't excuse you from having institutional-grade security protocols. In fact, because meme coins often have less sophisticated voter bases, they need even stronger safety nets.

The most dangerous part of any DAO is the assumption that the majority will always be right. Usually, the majority isn't even looking.

The Path Forward

We should expect more of these types of attacks. As the industry matures, hackers are realizing that it is much easier to trick a human being than it is to find a flaw in a battle-tested smart contract. Social engineering is the final frontier of crypto security.

As an industry, we need to stop rewarding speed and start rewarding friction. Friction in governance is a feature, not a bug. It prevents impulsive decisions and protects against hostile actors. If your DAO can move $20 million in a single transaction without a multi-layered check, you aren't decentralized; you're just vulnerable.

Keep your eyes on the movement of these funds. The recovery process is rarely successful, but the investigation will likely reveal exactly which levers were pulled to make this happen. For the rest of us, it's time to go back to the drawing board and tighten the screws on how we let people vote on our money.


Read the original at The Block →

The Brief

Stay Updated on Cutting-Edge Tech

A six-minute morning dispatch on the markets and the technology shaping them.

Free. No spam. Unsubscribe anytime.

Write for STKR

Become a Contributor

Earn $STKR for published stories on markets, protocols, and culture.

  • Earn $STKR for every published piece
  • Editorial support from the STKR desk
  • Byline visibility across the network
  • First look at the upcoming creator program
Apply to Write

Keep reading

All stories

Comments

24 reader responses