BonkDAO announced Monday it was hit by a malicious governance proposal that siphoned roughly $20 million in BONK tokens from its treasury, according to a post on its official X account.

The attack exploited BonkDAO's governance mechanism, where token holders vote on proposals to move treasury funds. A malicious proposal passed and executed without intervention, redirecting tokens away from the DAO's control. The exact technical path—whether a governance vulnerability, a threshold problem, or a voting manipulation—remains unclear from available statements.

BONK is the memecoin native to the Solana ecosystem. The theft represents a material hit to the organization's operating capital. At current market prices, the loss exceeds $20 million in nominal value, though the token's trading volume and the timing of the drain will affect the real liquidation cost if the attacker attempts to exit the position.

No details have emerged about the attacker's identity, the proposal mechanics that enabled passage, or whether the tokens have been moved to exchanges or wallets controlled by identifiable parties. BonkDAO has not yet published a full forensic timeline, including the proposal ID, voting window, threshold crossed, or the exact block height of the drain.

DAOs have faced similar governance attacks before, often via low quorum votes, compromised signer keys, or flash-loan manipulation of voting power. Responses typically include pausing treasury access, forking the chain to roll back the transaction (a nuclear option rarely taken), or working with exchanges to freeze withdrawals if the attacker attempts to cash out. None of these mitigation steps have been confirmed for BonkDAO.

The incident underscores the operational risk in decentralized governance structures where code execution is irreversible and on-chain voting can be gamed by actors with sufficient capital or access to governance tokens. The Solana blockchain does not support transaction reversal at the protocol level, limiting remediation options to freezing movement at downstream exit points—if the tokens can be identified before they're scattered across multiple addresses or swapped into other assets.