Dango Perps Protocol Exploited for $1.9M via Insurance Fund Sign Error, Chain Paused While $1.49M Recovered
Summary
Decentralized perpetuals protocol Dango was exploited Monday for approximately $1.9 million in USDC after an attacker discovered that the platform’s insurance fund donation function failed to validate that incoming amounts were positive — a sign-check omission that allowed collateral to be drained rather than deposited.
The bug, confirmed by Dango in an official statement, is elementary in nature but consequential in impact: by submitting a negative donation value, the attacker reversed the fund flow, pulling USDC collateral out of the perps contract rather than adding to it. The vulnerability was isolated to the insurance fund donation logic and did not affect order matching, PnL settlement, or liquidation mechanics.
A bridge rate limit already in place at the time of the attack proved to be the critical circuit breaker. Of the total $1,900,022 exploited, the attacker successfully bridged $410,010 USDC to Ethereum before the rate limit triggered. The remaining $1,490,012 remains on the Dango chain and is being actively recovered following a chain pause. That $1.49 million recovery — made possible by an infrastructure safeguard rather than any active response — meaningfully narrows the real-world loss, though it also raises questions about why a donation function with no input validation was deployed to a contract holding user collateral.
Dango has contacted SEAL-911, the blockchain security incident response group, which has since notified Circle and major exchanges. The attacker’s Dango and Ethereum wallet addresses have been publicly identified. The team has invited the exploiter to negotiate a bug bounty.
All affected users will be made whole, Dango said. The protocol’s points program has been postponed pending full recovery and relaunch.