The attacker didn't hack the treasury. They voted to drain it.

The Summary

The Signal

The mechanics here matter. Someone didn't find a bug in the code. They passed a governance proposal that authorized the transfer. That means they either accumulated enough voting tokens to push it through themselves, or they gamed the proposal process when community attention was elsewhere. DAOs treat governance like democracy, but democracy without robust checks is just tyranny by quorum.

This is the third major DAO treasury attack in 18 months using governance as the attack vector, not code vulnerabilities. The pattern is consistent: accumulate voting power quietly, submit a proposal during low engagement, execute before anyone realizes what passed. BonkDAO is now coordinating with exchanges and law enforcement, but the tokens are already moving. Once they hit a mixing service or privacy chain, recovery odds drop to near zero.

"The attack highlights vulnerabilities in DAO governance, urging enhanced security measures to protect community treasuries."

Here's what most coverage misses: meme coin DAOs are especially vulnerable because token distribution is chaotic and engagement is seasonal. BONK holders aren't institutions running validators and monitoring every proposal. They're retail traders who bought in for the vibes. When a governance vote happens, turnout is whoever shows up. That's not a bug in the system. That's the system.

The coordination with Upbit matters because it shows centralized chokepoints still work better than decentralized ones when you need to actually stop a thief. Upbit can freeze deposits. The Solana Foundation can coordinate blacklists. Law enforcement can pressure exchanges. None of that is how Web3 is supposed to work, but it's how you recover stolen funds in 2026. The irony is thick: the most effective defense against decentralized theft is centralized intervention.

Compare this to traditional corporate governance. A board member can't just vote to wire the treasury to their personal account and have it execute automatically. There are approval layers, signing authorities, delayed execution windows, legal frameworks. DAOs skip all of that for speed and community ownership. The trade is explicit: maximum autonomy, minimum safety rails. When it works, you get capital formation and coordination at internet speed. When it doesn't, you get a $20 million lesson in why legacy systems have friction built in.

The Implication

DAOs need to stop treating every governance proposal like a Twitter poll. Implement time delays between proposal passage and execution. Require multi-sig approval for treasury movements above certain thresholds. Build reputation systems that weight votes by contribution history, not just token holdings. None of this is technically hard. It's just philosophically uncomfortable for communities that fetishize decentralization.

If you hold governance tokens in any DAO, audit the proposal process. How many votes does it take to pass treasury access? How long between vote and execution? Who actually participates? If you can't answer those questions, you're not governing. You're gambling that nobody else figures out the same exploit before you notice it happened.

Sources

The Block | Crypto Briefing | BeInCrypto