In July 2026, BonkDAO was the victim of an estimated $20 million hack. The attacker performed a governance takeover of the project’s treasury on Solana’s Realms platform.
Inside the Attack
The BonkDAO exploit began with a malicious governance proposal submitted on June 30. Bonk Improvement Proposal #76 claimed to be about rewarding “YES voters” but included a hidden clause that would transfer 4.43 trillion BONK from the project’s treasury to an attacker-controlled address.
To defeat BONK’s governance system and have their proposal approved, the attacker needed YES votes totaling approximately 1% of the total supply of the BONK token. They used a second wallet to spend about $4.4 million on Bybit and Binance to purchase the required assets.
After the proposal was launched, BONK users had six days to vote on it. While six wallets not controlled by the attacker voted on it, the attacker controlled about 99.878% of the total vote. The low turnout meant that the attacker completely controlled the voting process.
Once the proposal was approved, it was executed immediately with no timelock. As a result, the $20 million in BONK tokens were transferred to the attacker’s address. Later, about $188,000 worth of the stolen tokens were moved to a centralized exchange as part of a cash-out attempt, while the remainder was moved to a multisig wallet titled “BONK 2.0” with three wallets linked to the attacker as the approved signers.
Lessons Learned from the Attack
The Bonk hack was a demonstration of the potential risks associated with decentralized governance. When votes are determined by the number of tokens that someone controls, an attacker with enough money to buy up votes can determine whether proposals are approved or denied. In this case, the attacker spent an estimated $4.4 million buying the vote on a proposal that would transfer $20 million worth of tokens into their account.
This attack was made possible by the fact that Bonk lacked common security controls, such as timelocks and a reasonable quorum threshold. Requiring only 1% of the overall supply for a valid vote meant that the attacker was able to acquire sufficient tokens to unilaterally approve their own proposal. Since this proposal was executed immediately after voting closed, the Bonk team had no opportunity to attempt to freeze the malicious transaction.
Protecting against this type of attack requires careful protocol design and the implementation of security best practices for decentralized governance. To learn more about protecting your protocol against this threat, get in touch with Halborn.
