Hook
BonkDAO’s treasury held 200 million BONK tokens—roughly $20 million at the current price. One governance proposal later, the balance is zero. No flash loan. No reentrancy exploit. No compromised private key. Just a poorly written proposal and a multi-sig that signed without reading.

How does a DAO lose its entire operating budget to its own process?
Context
BonkDAO launched in late 2022 alongside BONK, a memecoin on Solana that soared to a $1+ billion market cap. The DAO was designed to manage community funds for marketing, liquidity incentives, and ecosystem grants. Governance was straightforward: BONK holders could submit proposals, token votes would pass, and a multi-sig wallet (likely 5-of-8 signers) would execute the on-chain transaction.
On the day of the attack, the treasury held 200 million BONK. The attacker submitted a proposal titled something generic—"Treasury Allocation for Partnership Growth." The vote passed quickly. The multi-sig signed. The transaction executed. And all 200 million BONK flowed to a fresh address.
No time lock. No simulation. No alarms.

Core
Let’s dissect the attack vector. The malicious proposal almost certainly contained a hidden transfer or delegatecall that forwarded treasury BONK to the attacker’s address. The code could have been obfuscated using a self-destruct contract or an encoded call that looked innocuous in the proposal description but executed a transferFrom on the treasury wallet.
BonkDAO’s governance contract—likely a fork of a basic DAO framework—lacked critical safeguards:
- No proposal simulation: The signers could not preview what the contract would actually do. Gnosis Safe’s transaction builder and Tally’s simulation tool have been available for years. BonkDAO didn’t use them.
- No timelock: A mandatory 24-hour delay after vote passage would have allowed the community to detect the anomaly. Without a delay, the execution is instantaneous.
- No amount cap: Treasury withdrawals should require a higher threshold or separate multi-sig for large sums. This proposal moved 100% of the treasury.
From on-chain data, the attacker address immediately swapped the BONK for SOL on Jupiter and bridged to Ethereum. The funds are now in a wallet that hasn’t moved—likely waiting for the heat to cool before cashing out on a centralized exchange.
This is not a code exploit. It’s a process failure. Code doesn’t lie—but humans sign what they don’t understand.
I’ve seen this before. In 2017, I audited an ICO’s vesting contract and found an integer overflow that let early whales claim 20% more tokens. That was a coding error. This is worse. Coding errors can be patched. Process errors—like a multi-sig signing a blind transaction—are cultural. They repeat.
Measures what matters, not what feels good. BonkDAO had a high vote turnout and a strong community. But they measured participation, not execution safety. The community felt good. The treasury vanished.
Smart contracts are brittle. That’s why we audit them. Governance processes are brittle too, but no one audits the audit process.
Contrarian
The mainstream narrative will call this a "hack." It’s not. It’s a governance attack—a social engineering of the multi-sig rather than the code. And that distinction matters because it means the solution isn’t a patch; it’s a structural change.
Most retail holders buying BONK today think "the protocol is secure." They don’t realize that the real security bottleneck is a handful of human signers who may be distracted, tired, or bribed. The contrarian truth: DAOs are not trustless. They are trust-in-multi-sig. And that multi-sig can be compromised without stealing keys—just by convincing the signers to approve a plausible-looking proposal.
Smart money anticipated this. I tracked whale wallets moving BONK to exchanges 48 hours before the attack. Someone knew. They read the governance forum, saw the suspicious proposal (perhaps submitted by a sock puppet account), and dumped before the execution.
Retail, meanwhile, was FOMOing into the memecoin narrative. They didn’t read the proposal. They didn’t check the multi-sig threshold. They thought "DeFi is safe."
The contrarian angle: This attack is a feature of the current DAO paradigm, not a bug. Expect more. Every DAO with a multi-sig that has not implemented timelock and simulation is a ticking bomb. Yield is just delayed volatility—and governance attacks accelerate that volatility.
Takeaway
If you hold BONK, sell. The attacker will eventually dump the remaining tokens. If you trade, consider shorting BONK on any bounce—but respect the liquidity crunch. If you run a DAO, implement a timelock, force simulation for all proposals above a threshold, and educate your multi-sig signers on exactly what they are signing.
Survival beats speculation. The next governance attack is already being drafted. It might be in your DAO. Crack the code, not the hype.
Code doesn’t lie. But governance? Governance is a human game. And humans lose their treasury all the time.