Home
News
Details

Dango Resolves Exploit After White Hat Returns Funds, Users Unaffected

iconAMBCrypto
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
USDC
$0.99980%
This is the logo of the coin.
ETH
$2,324.56-1%
AI summary iconSummary

expand icon
Dango has resolved a recent exploit after the attacker, identified as a white hat, returned all funds following a bug bounty agreement. The exploit involved draining USDC from the perpetuals contract due to a flaw in the insurance fund logic. Approximately $410,010 was bridged to Ethereum, while $1.49 million remained on-chain. Dango paused operations and worked with security partners to recover assets. User funds were never at risk. The team is now deploying new safeguards and expects to resume shortly. Traders evaluating on-chain trading signals may note the incident’s low risk-to-reward ratio for future assessments.

Dango has confirmed that funds taken in a recent exploit have been fully returned. This was after the attacker cooperated with the team and accepted a bug bounty.

The incident, disclosed earlier in the day, initially saw an attacker drain USDC collateral from the protocol’s perpetuals contract. However, the situation was quickly contained, with the majority of funds secured and later recovered in full.

Bug in insurance fund logic exploited

According to Dango, the exploit stemmed from a flaw in its insurance fund donation logic.

AD

The contract allowed users to donate to the insurance fund, but failed to verify that the donation amount was positive. This oversight enabled the attacker to manipulate the system and extract funds from the perps contract.

The team said the vulnerability was isolated and did not affect core trading functions such as order matching, profit and loss settlement, or liquidations.

Losses limited by bridge restrictions

The attacker was able to bridge approximately $410,010 USDC to Ethereum. However, an additional $1.49 million remained on-chain within Dango, thanks to built-in bridge rate limits.

This design feature prevented the attacker from fully withdrawing the exploited funds, giving the team time to respond and initiate recovery efforts.

Dango paused the chain shortly after detecting the issue and began coordinating with security partners, including the Security Alliance, as well as notifying major exchanges and stablecoin issuers.

Funds returned as attacker turns white hat

In a follow-up update, the team confirmed that the attacker returned the funds in full and was subsequently awarded a bug bounty.

Dango described the actor as a “white hat,” acknowledging their role in identifying the vulnerability and preventing further damage.

“All affected users will be made whole,” the team said, adding that user funds were never at risk beyond the isolated contract.

Protocol resumes with added safeguards

With the issue resolved, Dango is now working to deploy additional safeguards to prevent similar vulnerabilities in the future.

The platform is expected to resume operations shortly, with its points program temporarily postponed.

Final Summary

  • A bug in Dango’s insurance fund logic allowed an attacker to drain funds, though bridge restrictions limited losses.
  • The funds were later returned in full by a white hat, leaving users unaffected, and the protocol preparing to resume operations.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.