$4.4 million used to steal $20 million, the attacker might be an "insider"? DeFi governance has become a joke.



What is the most "legal" robbery you have ever seen?

In the early hours of July 6, BonkDAO on the Solana ecosystem was drained.

It wasn't a hacker attack, nor a contract vulnerability.

It was a vote.

The attacker spent $4.4 million to buy BONK tokens and submitted a governance proposal titled "BIP #76 - Sowellian BonkDAO".

On the surface, it said "Rebuild from the ashes, monetize holdings, stop the bleeding," promising to reward all yes voters with BONK tokens.

In reality, the proposal contained only one effective instruction:

Transfer the 4.4 trillion BONK from the treasury directly into the attacker's wallet.

— The entire process was technically completely legal.

The proposal passed.

The treasury was emptied.

The attacker ran away.

But the latest investigation findings have completely changed the nature of the matter.

On-chain security firm Specter traced the funds and found:

The attacker's address had traces of fund flows with the addresses of Realms' founder and Crypto Notte.

What is Realms?

It's the governance platform that BonkDAO used for voting.

The investigation also found that an address related to the attacker had become the first voter in a test proposal created by Realms' founder in January 2023, and received 1 DEANS from Realms.

Even more absurd—BonkDAO had over 18k registered members.

Only 7 wallets voted.

The attacker used the yes votes from 7 wallets to take away $20 million.

18,000 people remained silent, 7 people decided everything.

Ripple's former CTO David Schwartz directly characterized it: This is corporate fraud. State courts will not accept "code is law" as a defense.

The code is legal, but the action is fraudulent.

What does this tell us?

First, "decentralized governance" is becoming a joke.

A 1% voting threshold can be bought through with $4.4 million.

Second, the most dangerous vulnerability is not code, but people.

If the attacker really has ties to the inside of the governance platform—

Then this is not an external attack.

It's an insider taking the key, walking through the front door, and carrying away the vault.

Third, stop saying "code is law".

Code can perfectly execute a malicious transfer.

But code won't tell you who the person behind that transfer is.

#GUSD年化升至3.8% #美终止对伊朗石油制裁豁免 $BTC $SOL $BONK
BTC-1.63%
SOL-4.46%
BONK-7.53%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned