The attackers siphoned off $20 million from BonkDAO's funds with only 2.9% of the vote

BonkDAO, the decentralized governance organization behind BONK Solana, lost approximately $20 million after an attacker spent just $4.4 million to acquire over 1% of the total circulating supply.

7/8/20263 min read

Six Days to Accumulate Silent Voting Rights

The chain of attacks began on June 30th when an anonymous wallet submitted a proposal to transfer all treasury assets to a wallet under its control. For the proposal to be approved, it needed a vote equivalent to 1% of the total BONK supply – a minimum threshold for the proposal to take effect. On July 4th and 5th, another wallet purchased exactly that amount, spending approximately $4.4 million to buy BONK on Bybit and Binance, and, according to some sources, also borrowed additional funds through DeFi lending platforms.

The proposal was made public for six days without opposition or veto, a period long enough for community response if effective proposal monitoring systems were in place. The proposal text was written in less technical and less governance-oriented language than a typical BONK Improvement Proposal, closer to a manifesto than a policy change, promising to "rebuild from the ashes, monetize assets, prevent losses" and including a line informing readers that "all those who voted in favor are eligible to receive tokens." Hidden beneath that was a single directive that should have been scrutinized immediately: transfer 4.43 trillion BONK to the attacker's wallet.

By July 6th, the attacker had accumulated enough tokens. The total number of votes cast was 882.38 billion BONK, exceeding the required threshold of 879.95 billion, surpassing it just enough—exactly the amount of tokens the attacker had spent days accumulating. At 4:00 AM Eastern Time, over 4.4 trillion BONK was automatically transferred out of the treasury.

A failure in governance, not a source code vulnerability.

This wasn't a smart contract vulnerability exploit in the traditional sense. The attacker operated entirely within established rules. BonkDAO and blockchain analytics firms described the incident as an "attack," and the law enforcement intervention reflects that assessment. However, it is this very mechanism that offers the real lesson: the treasury can be emptied by anyone who can gather a provisional majority of votes, and the cost of acquiring that majority here is significantly lower than the reward.

Three core governance design flaws converged to create the ideal conditions for the attack. There was no time lock mechanism between a proposal being passed and its automatic execution on the chain. A mandatory delay of 48 to 72 hours would allow the community to identify anomalies and respond before funds were transferred.

The majority vote threshold is too low relative to the treasury's value. Reaching 1% of the total supply requires only $4.4 million compared to the treasury holding $20 million, creating an attractive cost-to-reward ratio of approximately 1:5. With actual voter turnout at only 2.9% (seven e-wallets from 18,000 members), this minimum vote threshold never truly reflected the community's consensus.

There is no emergency multi-signature veto mechanism that would allow a council or large stakeholders to block an unusual proposal before it is implemented.

Asset movements and exchange reactions

After the proposal was approved, the first 4.43 trillion BONK were transferred to a wallet ending in "JHvQ," which Solscan identified as being deposited via a Bybit account. Then, at 3:30 PM on the same day, these tokens were further transferred to a second Solana address ending in "eh42." PeckShield recorded approximately $148,000 worth of stolen BONK that was subsequently transferred to OKX.

Exchanges responded quickly. Upbit in South Korea and Kraken in the United States both immediately suspended BONK deposits and withdrawals following the incident, with Upbit citing "measures to protect users after a security incident." Bithumb also suspended BONK trading across the entire South Korean market.

Assessment and Conclusion

The BonkDAO incident raises a fundamental question about the security of any DAO maintaining a large treasury while relying on simple, token-weighted governance systems. With a low quorum threshold, no time lock-up, and no multi-signature emergency checks to detect anomalous proposals before execution, a well-funded attacker could convert $4 million in token purchases into control of a $20 million treasury.

The governance improvements highlighted by this incident include: mandatory time locks on all Treasury transfer proposals; a higher quorum threshold for proposals affecting the Treasury than for policy proposals; an emergency veto mechanism for the board or overseeing stakeholders; voting snapshots taken before proposal submission to prevent last-minute accumulation; and a requirement for independent technical committee review of proposals involving large Treasury transfers.

Disclaimer: The information presented in this article is the author's personal opinion in the field of cryptocurrencies. This is not financial or investment advice at all. Every investment decision should be based on careful consideration of your personal portfolio and risk tolerance. The opinion in the article does not represent the official position of the platform. We recommend that readers do their own research and consult experts before making any investment decisions.

Synthesized and analyzed by HCCVenture

Follow HCCVenture organization here: https://link3.to/holdcoincventure

Explore HCCVenture group

HCCVenture © 2023. All rights reserved.

Connect with us

Popular content

Contact to us

E-mail : sp_contact@hccventure.com

Register : https://linktr.ee/holdcoincventure

Disclaimer: The information on this website is for informational purposes only and should not be considered investment advice. We are not responsible for any risks or losses arising from investment decisions based on the content here.

TERMS AND CONDITIONS • CUSTOMER PROTECTION POLICY

ANALYTICAL AND NEWS CONTENT IS COMPILED AND PROVIDED BY EXPERTS IN THE FIELD OF DIGITAL FINANCE AND BLOCKCHAIN ​​BELONGING TO HCCVENTURE ORGANIZATION, INCLUDING OWNERSHIP OF THE CONTENT.

RESPONSIBLE FOR MANAGING ALL CONTENT AND ANALYSIS: HCCVENTURE FOUNDER - TRUONG MINH HUY

Read warnings about scams and phishing emails — REPORT A PROBLEM WITH OUR SITE.