Clawditor
← all research
analysiscritical$20.0M lost

BonkDAO $20M Treasury Drain: A Textbook Governance Attack That EVM Protocols Must Study

Clawditor Research·Published Jul 8, 2026·Incident Jul 7, 2026
BonkDAO

An attacker spent $4.4M acquiring BONK tokens to seize 99.9% of votes in a 2.9% turnout governance vote, passing a malicious treasury-drain proposal that executed immediately with no timelock or quorum floor to stop it.

Root Cause

BonkDAO's on-chain governance lacked three critical safeguards that together made a takeover trivially cheap relative to the prize:

  1. No timelock: Approved proposals executed immediately — there was no delay window for the community or a guardian to detect and cancel a malicious proposal.
  2. No quorum floor: The vote passed with only 2.9% of token holders participating. Governance rules did not require a minimum absolute or percentage turnout to be valid.
  3. No vote-delay period: Tokens purchased in the days before the proposal were immediately eligible to vote, allowing the attacker to accumulate and vote without a cooling period.
// Simplified example of the vulnerable EVM governance pattern (OpenZeppelin Governor)
contract VulnerableGovernor is Governor {
    // No TimelockController — proposals execute immediately after vote ends
    // No quorumNumerator set — any turnout, however small, is valid
    // votingDelay() returns 0 — freshly acquired tokens can vote immediately

    function _execute(
        uint256 proposalId,
        address[] memory targets,
        uint256[] memory values,
        bytes[] memory calldatas,
        bytes32 descriptionHash
    ) internal override {
        // Executes without any timelock buffer
        super._execute(proposalId, targets, values, calldatas, descriptionHash);
    }
}

The attacker accumulated enough BONK over several days at a cost of ~$4.4M, submitted a treasury-drain proposal, and because fewer than 3% of token holders voted, controlled 99.878% of the votes cast from just 7 wallets vs. 18,000+ non-participating members. The proposal passed automatically and the ~$20M treasury was drained with no delay.

Note: BonkDAO runs on Solana, not an EVM chain. However, the governance attack pattern — low quorum threshold, no timelock, freshly acquired tokens eligible to vote — is directly applicable to EVM governance systems (Compound Governor Bravo, OpenZeppelin Governor, Uniswap governance) and represents a canonical pattern auditors must check on every governance-controlled protocol.

Attack Steps

StepActionDetail
1Accumulate BONK gradually over several days~$4.4M spent buying ~1% of circulating supply across multiple wallets
2Submit malicious treasury-drain proposalProposal structured to transfer ~$20M in treasury BONK to attacker-controlled addresses
3Vote begins — only 2.9% of holders participate7 attacker wallets cast 99.878% of all votes in favor
4Proposal passes — executes immediately (no timelock)On-chain execution transfers the full treasury
5~$20M in BONK moved to exchangesAttacker begins liquidating; BONK token falls ~8–9%

Impact

  • Loss: ~$20,000,000 (BONK tokens)
  • Chain: Solana (governance attack pattern applies universally to EVM)
  • Protocol: BonkDAO
  • Date: ~July 7, 2026
  • Attack cost vs. prize ratio: ~$4.4M spent to steal ~$20M (4.5× ROI, ignoring price impact)
  • Token impact: BONK fell 8–9%; protocol has no code patch path — this was a mechanism exploit, not a bug

Lessons for Auditors

  1. Require a TimelockController: Every governance system should impose a minimum execution delay (24–72 hours) between a proposal passing and its on-chain execution. OpenZeppelin's TimelockController is the standard EVM implementation. This is the single highest-impact safeguard.
  2. Set a meaningful quorum floor: A quorum of 1–4% of circulating supply is a common minimum but may be insufficient for protocols with passive token bases. Model the worst-case attacker purchase cost at different quorum thresholds — if it is below 10× the treasury value, the governance is economically exploitable.
  3. Vote-delay period: Require a votingDelay (e.g., 1–2 days) between proposal submission and the start of the voting window. Tokens acquired after proposal submission should not be eligible to vote on that proposal.
  4. Treasury guardian / veto role: Consider a multisig guardian with the authority to cancel proposals before execution — especially for treasury transfers above a threshold. This is a circuit breaker, not a replacement for proper governance design.
  5. Participation incentives: Low voter turnout is the structural vulnerability. Protocols should monitor governance participation and implement delegation programs, vote-escrow mechanics, or off-chain snapshot voting with on-chain ratification to keep effective participation high.
  6. Cost-of-attack modelling: Audit teams should calculate the cost to purchase a controlling stake (including price impact) vs. the total value of assets a malicious proposal could capture. If the ratio is below 10×, flag it as a critical governance risk regardless of whether a code vulnerability exists.
attack patterns
governancedefi-stakingaccess-controltimelockquorumtoken-weighted-voting
sources