BonkDAO says a malicious governance proposal just drained roughly $20 million worth of BONK from its treasury, and it has already traced the wallets used to buy up voting power before the vote.
BonkDAO disclosed the exploit in a statement posted to its official X account. According to the DAO, an attacker used a governance proposal designed to look legitimate to move BONK out of the treasury, and the DAO now estimates the loss at approximately $20 million worth of tokens.
The response so far has moved fast, at least on the investigation side. BonkDAO says it has identified the exchange wallets used to purchase BONK ahead of the proposal being submitted, the same accumulation pattern that shows up in almost every governance attack: buy or borrow enough tokens to swing a vote, then use that vote to move funds before anyone can react. BonkDAO says it is now working directly with exchanges, cross-chain bridges, and the Solana Foundation to track and, where possible, freeze the funds before they can be laundered further. Law enforcement has also been notified, according to the DAO's statement.
This is not a new attack pattern, even if the target is. Beanstalk, a DeFi stablecoin protocol, lost close to $180 million in 2022 after an attacker used flash loans to instantly acquire a supermajority of governance voting power and pass a malicious proposal, the entire attack taking roughly 13 seconds from vote to drain. Compound Finance faced its own version in 2024, when a delegate group pushed through a proposal reallocating $24 million in COMP tokens, a vote that passed by a narrow margin and that other delegates publicly called a governance attack rather than a legitimate proposal. Cream Finance, Tornado Cash and Build Finance have all suffered similar governance-based losses, with combined losses across these kinds of exploits well past $300 million industry-wide.
The common thread is that DAO governance, built to be open and permissionless, is also the attack surface. Anyone who can accumulate enough tokens or voting power, whether by buying, borrowing, or delegation, can put a proposal on-chain that looks procedurally valid right up until it executes.
BonkDAO has not yet said whether the tokens used to swing the vote were bought outright, borrowed, or delegated, and it has not named the wallets publicly. The DAO says the investigation is ongoing and that it will continue working with exchanges and other parties to recover funds and identify who is responsible.
BONK is one of the highest-profile memecoins built on Solana, and BonkDAO governs its treasury and ecosystem funding through on-chain proposals, the same structure that just got turned against it. A confirmed $20 million loss from that treasury would be one of the larger governance-attack losses tied to a Solana-based token to date, though the final figure could shift as the investigation continues.
For BONK holders, the immediate question is not just how much was taken but whether any of it comes back. Recovery in cases like this depends heavily on speed: exchanges freezing deposits before an attacker can cash out, bridges flagging suspicious cross-chain transfers, and, where the trail leads off-chain, law enforcement picking it up from there. BonkDAO's early identification of the exchange wallets used to accumulate voting power gives it a head start most governance-attack victims don't get. Whether that translates into recovered funds is now down to how fast those exchanges and the Solana Foundation can act on it.
Also read: Strategy's $216 million Bitcoin sale cracks Saylor's bulletproof thesis • What Is a Prediction Market and How Do Polymarket and Kalshi Price Truth • What Is Liquid Staking? How Tokens Like stETH Actually Get Repriced