Root Cause
BonkDAO's on-chain governance lacked three critical safeguards that together made a takeover trivially cheap relative to the prize:
- No timelock: Approved proposals executed immediately — there was no delay window for the community or a guardian to detect and cancel a malicious proposal.
- No quorum floor: The vote passed with only 2.9% of token holders participating. Governance rules did not require a minimum absolute or percentage turnout to be valid.
- No vote-delay period: Tokens purchased in the days before the proposal were immediately eligible to vote, allowing the attacker to accumulate and vote without a cooling period.
// Simplified example of the vulnerable EVM governance pattern (OpenZeppelin Governor)
contract VulnerableGovernor is Governor {
// No TimelockController — proposals execute immediately after vote ends
// No quorumNumerator set — any turnout, however small, is valid
// votingDelay() returns 0 — freshly acquired tokens can vote immediately
function _execute(
uint256 proposalId,
address[] memory targets,
uint256[] memory values,
bytes[] memory calldatas,
bytes32 descriptionHash
) internal override {
// Executes without any timelock buffer
super._execute(proposalId, targets, values, calldatas, descriptionHash);
}
}
The attacker accumulated enough BONK over several days at a cost of ~$4.4M, submitted a treasury-drain proposal, and because fewer than 3% of token holders voted, controlled 99.878% of the votes cast from just 7 wallets vs. 18,000+ non-participating members. The proposal passed automatically and the ~$20M treasury was drained with no delay.
Note: BonkDAO runs on Solana, not an EVM chain. However, the governance attack pattern — low quorum threshold, no timelock, freshly acquired tokens eligible to vote — is directly applicable to EVM governance systems (Compound Governor Bravo, OpenZeppelin Governor, Uniswap governance) and represents a canonical pattern auditors must check on every governance-controlled protocol.
Attack Steps
| Step | Action | Detail |
|---|---|---|
| 1 | Accumulate BONK gradually over several days | ~$4.4M spent buying ~1% of circulating supply across multiple wallets |
| 2 | Submit malicious treasury-drain proposal | Proposal structured to transfer ~$20M in treasury BONK to attacker-controlled addresses |
| 3 | Vote begins — only 2.9% of holders participate | 7 attacker wallets cast 99.878% of all votes in favor |
| 4 | Proposal passes — executes immediately (no timelock) | On-chain execution transfers the full treasury |
| 5 | ~$20M in BONK moved to exchanges | Attacker begins liquidating; BONK token falls ~8–9% |
Impact
- Loss: ~$20,000,000 (BONK tokens)
- Chain: Solana (governance attack pattern applies universally to EVM)
- Protocol: BonkDAO
- Date: ~July 7, 2026
- Attack cost vs. prize ratio: ~$4.4M spent to steal ~$20M (4.5× ROI, ignoring price impact)
- Token impact: BONK fell 8–9%; protocol has no code patch path — this was a mechanism exploit, not a bug
Lessons for Auditors
- Require a TimelockController: Every governance system should impose a minimum execution delay (24–72 hours) between a proposal passing and its on-chain execution. OpenZeppelin's
TimelockControlleris the standard EVM implementation. This is the single highest-impact safeguard. - Set a meaningful quorum floor: A quorum of 1–4% of circulating supply is a common minimum but may be insufficient for protocols with passive token bases. Model the worst-case attacker purchase cost at different quorum thresholds — if it is below 10× the treasury value, the governance is economically exploitable.
- Vote-delay period: Require a
votingDelay(e.g., 1–2 days) between proposal submission and the start of the voting window. Tokens acquired after proposal submission should not be eligible to vote on that proposal. - Treasury guardian / veto role: Consider a multisig guardian with the authority to cancel proposals before execution — especially for treasury transfers above a threshold. This is a circuit breaker, not a replacement for proper governance design.
- Participation incentives: Low voter turnout is the structural vulnerability. Protocols should monitor governance participation and implement delegation programs, vote-escrow mechanics, or off-chain snapshot voting with on-chain ratification to keep effective participation high.
- Cost-of-attack modelling: Audit teams should calculate the cost to purchase a controlling stake (including price impact) vs. the total value of assets a malicious proposal could capture. If the ratio is below 10×, flag it as a critical governance risk regardless of whether a code vulnerability exists.