On July 6, an attacker used Bonk DAO's own governance system, not a smart contract exploit, to drain roughly 4.43T BONK tokens, about $20.5M, from the DAO's community treasury on Solana. Governance attacks like this are detectable, and a Hypernative customer already stopped a nearly identical one before it could execute.
The mechanism required no code vulnerability. An attacker needed only enough BONK to cross the DAO's approval threshold, and a treasury with no execution delay standing between a passed vote and a completed transfer. Both conditions were true on July 6.
Governance-vector attacks against DAO treasuries are becoming more attractive precisely because they sidestep smart contract security entirely. No audit catches a proposal that does exactly what the code allows it to do.
What is Bonk DAO, and why governance was the attack surface
Bonk DAO governs the BONK ecosystem token on Solana through Realms, the SPL Governance framework used by a large share of Solana-native DAOs to manage treasuries and protocol parameters through token-weighted voting. Under this model, any wallet holding enough of the governance token can submit a proposal, and any proposal that clears the DAO's approval threshold executes once its voting period ends, unless the DAO has configured additional friction, such as a timelock, between a passed vote and execution.
Bonk DAO's configuration set that threshold at 1% of approval-weighted supply, with no execution timelock.
How the attack unfolded
Proposal creation. On June 30, an attacker wallet created governance proposal "BIP #76, Sowellian Bonk DAO," inserted a treasury-transfer instruction, and signed it off.
Voting power accumulation. A second attacker wallet acquired approximately 882.3 billion BONK, about 1.003% of supply and roughly $4.09M at the time, just enough to clear Bonk DAO's approval threshold.
Vote and finalization. The wallet cast the decisive Approve vote, outweighing roughly 710M BONK in community Deny votes.
Execution. After the five-day voting period closed, and with no execution timelock in place, the attacker finalized and immediately executed the proposal. Approximately 4.43T BONK moved from the treasury to a loot wallet.
Exit. The attacker relinquished the vote and withdrew the roughly $4.09M in staked BONK used to secure it, recovering the cost of the attack and leaving with the treasury for the price of gas.
What failed
Bonk DAO's governance treated a passed vote as sufficient authorization by itself. It wasn't enough on either count.
A quorum set as a percentage of total supply only works as a real barrier when turnout is high. On a proposal most of the DAO ignored, the threshold that looked meaningful on paper became cheap to buy outright.
Nothing stood between a passed vote and a completed transfer, either. No delay, no secondary check, no one positioned to catch a low-turnout outcome before the funds moved.
Either gap closed likely stops this.

A nearly identical attack that was stopped
Earlier this year, an attacker submitted a governance proposal against Reserve's hyUSD token, a decentralized token folio that had gone dormant for over a year. The proposal called for upgrading two of hyUSD's core contracts to an unverified implementation. No forum discussion had preceded it. Had it succeeded, the attacker would have drained roughly $80,000 in TVL and all of the RSR governance tokens staked on hyUSD.
The difference was time. ABC Labs, the core development team behind the Reserve Protocol, monitors governance activity across its DAOs using Hypernative's Onchain Monitoring & Automated Response, with severity-based alerting that treats proposals carrying privileged actions, like contract upgrades or role changes, differently from routine governance. The proposed upgrade generated an alert the moment it was posted. ABC Labs investigated the proposer address and the target contract, then notified the broader community through Telegram, betting that public visibility was the fastest path to a coordinated response.
RSR holders mobilized, staking enough against the proposal to outweigh the attacker's voting power. Within 24 hours, the attacker unstaked and walked away.
Reserve's hyUSD proposal and Bonk DAO's BIP #76 are structurally the same attack: a governance proposal engineered to move treasury value to an attacker-controlled address, through the DAO's own legitimate vote. Both were plain about what they'd do if approved. Reserve's was flagged and defeated within 24 hours. Bonk DAO's sat for six days with nothing flagging it at all.
Read the full case study: How Reserve Secures a DTF Ecosystem Built on Decentralized Control
The check that was missing
In Bonk DAO's case, nothing checked where the money was actually going. The treasury sent nearly its entire balance to a wallet it had never sent funds to before, and nothing flagged that as unusual before the transfer executed.
Reserve's hyUSD proposal was caught on the same signal. The tell wasn't that a contract upgrade sounds dangerous. It was that the new implementation address had no history and no forum discussion behind it. Reserve's governance monitoring flagged the unrecognized destination the moment the proposal posted.
The takeaway
Bonk DAO's loss was not a failure of Solana, SPL Governance, or DAO structures generally.
Governance-based treasury attacks are becoming more common precisely because they require no code vulnerability, only enough capital to cross whatever threshold a DAO has set and enough patience to wait out whatever delay, if any, stands between a vote and an execution. Reserve's hyUSD proposal shows the same attack does not have to work. The difference is whether a DAO's governance parameters, and the monitoring watching them, give a community time to react before a vote becomes a transfer.
Reach out for a demo of Hypernative’s solutions, tune into Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.
Proactive security for onchain finance.







