The $20mn drain of BonkDAO's treasury has added to growing doubts over whether decentralized autonomous organizations can remain a viable model for governing crypto projects. Already beset by voter apathy and slow, cumbersome decision-making, several large DAOs have shifted towards more centralized structures. The BonkDAO attack now highlights a more immediate danger: low participation can also leave DAO treasuries vulnerable to governance attacks.
Exploit or Just Lax Governance? BonkDAO Drain Exposes Cost of DAO Apathy
BonkDAO said on 6 Jul that a malicious governance proposal drained around $20mn worth of BONK from its treasury.
According to onchain analysis, the attacker bought about $4mn of BONK on the open market and submitted a proposal to transfer 4.4tn tokens to a wallet they controlled. The proposal remained live for six days without attracting scrutiny. Shortly before it was due to expire, the attacker used their voting power to approve it, automatically triggering the transfer from the treasury.
The response on Crypto X was closer to an eye roll than the alarm that typically follows a crypto hack. No smart contract was compromised and no private key was leaked. To some commentators, that meant the DAO had simply worked as designed. If an attacker follows every rule embedded in a governance system, they argued, has anything actually been stolen?
Patrick Quinn, a lawyer with Cullen and Dykman LLP who specializes in distributed ledger technology practice, told Sandmark that even if the attacker acted within the DAO's coded rules, the conduct could still be challenged in court "due to its abusive nature."
Hack or takeover?
Early reports cast the exploit as another entry in a bad year for blockchain security. As the details emerged, concern gave way to disbelief: the attacker had drained the treasury without compromising a smart contract, stealing a private key or carrying out any technical hack at all.
Phil Fogel, co-founder of tokenized risk infrastructure firm Cork Protocol, said in a written comment to Sandmark that calling the incident a hack lets DAOs governance off the hook. "Someone bought enough votes to pass a proposal and claim the cash. Mechanically that's not an exploit, it's a hostile takeover of an entity trading below its liquidation value. No bug required, just capital and an open market," he said.
He argued that the attack exposed a fundamental flaw in the DAO's design, with a minority of tokens able to control the entirety of its treasury.
Crypto lawyer Gabriel Shapiro argued on X that the attacker's position was more defensible than much of the governance power exercised across crypto because the voting weight was bought on the open market for $4mn rather than received through an allocation. He drew a comparison to the proposal in ENS DAO to transfer much of the treasury into a newly formed foundation, approved by the controlling vote of ENS developer nick.eth.
Old law, new rails
Courts have spent centuries building precedent to stop a similar pattern of behaviour in corporate governance.
Tokenholders who lost out could pursue several legal avenues, Quinn said, including claims of fraud, theft or unjust enrichment – the principle that someone should not be allowed to retain gains obtained unfairly. A court could also find that the attacker never had a rightful claim to the tokens and order their return, he said.
The closest parallel in traditional finance would be a shareholder accumulating enough stock to vote company funds into their own pocket. In that context, Quinn said, "there is a well-developed body of corporate law that would almost certainly invalidate such a transaction," with a controlling shareholder potentially liable for self-dealing.
However, transferring that framework to the context of a DAO could prove more complicated, Quinn said. An affected party may be able to argue the attacker has liability, but for that theory to apply, plaintiffs would need to establish that the attacker owed a fiduciary duty to the DAO, which "may be harder to establish unless it adopted a corporate framework that parallels a traditional corporate context."
A lesson in voter apathy
The proposal to move 4.4tn BONK, worth around $20mn at the time of the transfer, was cleared in part due to a lack of votes against it. There were also no safeguards in place to check the proposal before the transaction was executed.
"It seems people consistently do stupid things in the meme world," Quinn said of the design that allowed it. "The founders and developers who designed the BONK governance structure were not paying close enough attention to the holes in their token weighting structure."
He listed a number of measures that he said could have stopped the exploit, including a treasury committee to review large disbursements, timelocks on treasury votes, supermajority thresholds, multisignature approvals and constitutional limits on proposals that primarily benefit a single participant.
Developers behind the DAO could face a separate claim, he added, if token holders could show they knowingly built the governance infrastructure without these controls in place despite foreseeable risks.
A test case for DAO governance
Quinn's argument offers a potential path for those seeking to recover losses. Blockchain systems, he said, are moving beyond their roots in personal autonomy towards structures governed by legal principles far older than crypto. In that world, the idea that code is law has limits.
BonkDAO says it is working with exchanges and law enforcement to recover the funds. A court battle could turn the DAO into a test case for whether an outcome reached through a valid governance vote can still be treated as theft and reversed.
"Just because one law allows you to do something [like] acquire a large voting block and vote in accordance with your own self-interest, doesn't mean you can do that in a way that amounts to violation of another law," said Quinn.