事情是这样的:黑客先花了440万美元,不是去买币拉盘,而是去"买票"——在BONK的治理投票系统里砸钱拿到足够的投票权重。投票通过之后,金库里超过2100万美元的资金就被卷走了。这事是在7月7日的日报里被披露出来的,属于近期少见的、有具体金额的安全事件。
这里的关键不是黑客技术多高明,而是治理机制本身的漏洞。很多DAO(去中心化自治组织)的治理设计是"一币一票",谁手里代币多、投票权重就大。理论上这能防止少数人操控,但现实是:如果一个项目的治理门槛不够高、没有时间锁(提案通过后要等一段时间才能执行,给社区反应窗口)、没有多签(多个人共同签字才能动用资金)、也没有单笔投票权重上限,那么只要有人愿意砸钱买票,就能在合规流程里把金库"合法"搬空。440万美元撬动2100万美元,杠杆超过4倍,这笔账对攻击者来说显然划算。
这不是BONK一家的问题。市值中小的项目往往流通盘小、治理参与度低,攻击成本反而更低——这次事件相当于给整个赛道提了个醒:治理代币的投票权重设计、资金调用的多重审批,可能比锁仓和审计更容易被忽视,但一样致命。目前尚不清楚项目方后续会不会追加多签或投票上限等防御措施,这或许会成为下一波DAO安全审计关注的重点。
Here's how it went down: instead of buying tokens to pump the price, the attacker spent $4.4 million buying votes — accumulating enough voting weight inside BONK's governance system to push a proposal through. Once it passed, over $21 million drained out of the treasury. The breach surfaced in a July 7 market brief, a rare case of a small-cap security incident with hard numbers attached.
The real story isn't clever hacking — it's a structural flaw in how DAO (decentralized autonomous organization) governance is built. Most token-weighted voting systems assume whoever holds more tokens deserves more say. But without a high enough threshold, a timelock (a delay between a vote passing and funds actually moving, giving the community a window to react), multisig approval (requiring multiple signers to move funds), or a cap on how much voting power any single wallet can wield, someone with enough capital can simply buy their way to a "legitimate" treasury drain. Spending $4.4 million to move $21 million is better than 4x leverage — a good trade for whoever pulled it off.
This isn't just a BONK problem. Small and mid-cap projects tend to have thinner float and lower voter turnout, which actually lowers the cost of an attack like this. It's a reminder that governance-vote weighting and multi-signature fund controls can get overlooked next to things like audits and lockups — even though they're just as critical. Whether BONK's team adds multisig or vote caps in response remains to be seen, but this incident may push more DAO security audits to look there next.