Share on XShare on LinkedInShare on Telegram
Hack Analysis

BonkDAO $21.2M Governance Takeover Exploit (Explained)

A quorum priced below the treasury it guarded, a zero-second timelock, and no secondary sign-off let one vote move the entire treasury instantly.

Author
QuillAudits Team
July 14, 2026
BonkDAO $21.2M Governance Takeover Exploit (Explained)
Share on XShare on LinkedInShare on Telegram

On July 6, 2026, at 09:42 UTC, BonkDAO lost approximately $21.2M when a governance proposal it had approved itself triggered a full treasury transfer in the same transaction the vote closed. There was no smart contract bug, no private key theft, no flash loan, and no reentrancy. The code did exactly what it was told to do. An attacker spent roughly $4.4M buying just over one percent of BONK's circulating supply, used it to clear the DAO's quorum threshold, and voted itself 4.426 trillion BONK out of the community treasury.

Protocol Background

BonkDAO governs the BONK token through Realms, Solana's SPL Governance front end used by more than 800 DAOs on the network. Governance is token-weighted: one BONK equals one vote, and any wallet holding enough tokens can create and pass a binding proposal, including one that moves assets directly out of the DAO's treasury (F8FqZuUKfoy58aHLW6bfeEhfW9sTtJyqFTqnxVmGZ6dU).

Four configuration parameters governed what a proposal could do and how fast:

  • Community vote quorum threshold: 1% of the governing token supply, equal to 879.95 billion BONK.
  • Proposal creation threshold: 100 million BONK, the minimum balance needed to submit a binding proposal.
  • Instruction hold-up time: 0 seconds. No delay or veto window existed between a proposal passing and its instructions executing.
  • Treasury transfer authority: a passed proposal could encode a direct token transfer out of the treasury as one of its instructions, with no additional multisig or council sign-off required beyond the vote itself.

Hack Analysis

On June 30, 2026, a wallet submits proposal BIP #76, calling itself Sowellian BonkDAO, and pitches it as a reform effort to rebuild the DAO. Buried underneath that pitch is a direct instruction to transfer 4,426,104,450,305 BONK from the treasury to a wallet the submitter controls.

bonk-1.png

Over the next few days, on July 4 and 5, a separate wallet quietly builds up a BONK position, buying on exchanges and borrowing the rest, until it holds roughly 882.1 billion BONK, just enough to clear the 879.95 billion needed for quorum. The whole position costs around $4.4M.

bonk-2.png

When voting closes on July 6, almost the entire yes side comes from just two major wallets: one holding 882.2 billion BONK and casting 99.87% of the yes vote, and a second holding 97.8 million BONK for the remaining 0.011%. The final count comes in at 882,383,387,283 BONK in favor against 710,848,288 against, a lopsided win reached with only 2.9% of the DAO turning out to vote.

bonk-3.pngbonk-4.png

The vote closes at 09:42 UTC, and because the DAO's instruction hold-up time is set to zero seconds, the transfer instruction fires immediately, in the very same transaction. 4,426,104,450,305 BONK leaves the treasury and lands in wallet 9bxWkNf3BtJ6iehq9KbX9uCWMjem4TFiPZ19T2sYJHvQ.

bonk-5.png

Root Cause

This was not a smart contract vulnerability, every instruction executed exactly as BonkDAO's own governance program specified. The root cause was a quorum threshold that cost less to acquire than the treasury it guarded, with nothing standing between a passed vote and the transfer.

bonk-6.png

  • Quorum (879.95B BONK, ~$4.4M to acquire) cost less than the treasury it controlled (~$21.2M).
  • Instruction hold-up time was 0 seconds, no window to intervene once the vote closed.
  • No secondary sign-off (multisig, council, timelock) existed on treasury-transfer instructions.
  • The transfer instruction was visible from day one, but nothing forced review of it before a vote could be cast.

Attribution for the wallets behind the proposal and the vote remains unconfirmed.

How QuillAudits Governance Review Could Have Prevented This

Quorum-to-treasury-value modeling. A quorum threshold should be priced against the treasury it unlocks, not set as a flat percentage in isolation.

Mandatory timelock on treasury-transfer instructions. A 24-72 hour hold-up window on any instruction moving treasury assets gives the team and community a chance to catch and challenge it before funds move.

Secondary sign-off for treasury transfers specifically. Any instruction moving treasury funds above a set threshold should require a separate council multisig or guardian signature, so a vote alone is never sufficient.

Automated flagging of treasury-transfer instructions at submission. Governance tooling can parse a proposal's instructions at submission time and surface a mandatory warning on any direct treasury transfer.

Post-Attack Mitigation

BonkDAO comes forward soon after the vote closes and says a malicious proposal drained an estimated $20M in BONK from the treasury. The team says it has already identified the exchange wallets used to buy the votes, and that law enforcement has been notified.

Days later, BonkDAO posts a follow-up to reassure holders. The BONK token itself was never touched, no individual wallets or user funds were affected, and the damage stayed contained to that one treasury vote. The wallets involved are still being watched, exchanges have paused withdrawals as a precaution, and a full post-mortem is on the way.

Funds Flow After Attack

The stolen funds are still held in the attacker's wallet as BONK tokens EXaJnmrLf7RAKLfn1hehoKX94keKYmvZm5H5zuYVeh42

bonk-7.png

Relevant Addresses and Transactions

BonkDAO Treasury

Proposal Creator Wallet

Voting Wallets (Yes)

Attacker Wallets (Post-Drain)

Proposal

Key Transactions

Conclusion

BonkDAO's treasury did not fall to a code exploit. It fell to a governance configuration that made a $4.4M outlay a rational bid for a $21.2M treasury, with no timelock and no secondary sign-off standing in the way once quorum cleared. Every check the DAO's program performed passed correctly. The specification, not the code, was the vulnerability. A quorum threshold is only a safeguard if buying it costs more than the treasury it protects.

Contents

Tell Us About Your Project
Subscribe to Newsletter
hashing bits image
Loading...
cta-bg

WE SECURE EVERYTHING YOU BUILD.

From day-zero risk mapping to exchange-ready audits — QuillAudits helps projects grow with confidence. Smart contracts, dApps, infrastructure, compliance — secured end-to-end.

QuillAudits Logo


ISO 27001
DeFi Security AllianceplumeUniswap FoundationAethiropt-collectivePolygon SPNBNB Chain Kickstart

All Rights Reserved. © 2026. QuillAudits - LLC