Flash loan governance attack drained $11M treasury through malicious proposal
On June 11, 2026, Token of Power suffered an $11 million governance attack. The attacker used a flash loan to temporarily acquire a majority of voting power in the DAO, then submitted and passed a malicious proposal to transfer the entire treasury to their control. The proposal executed automatically through the governance timelock, draining approximately $11 million in ETH and governance tokens. The attacker repaid the flash loan within the same transaction, leaving the protocol with no treasury and no way to reverse the action.
The stolen treasury funds were immediately split across 20+ wallets. ETH portions were deposited into Tornado Cash and Railgun. Governance tokens were swapped for ETH through decentralized exchanges before mixing. The attacker demonstrated sophisticated knowledge of governance mechanics and flash loan infrastructure. No funds have been recovered.