Dango has confirmed that funds taken in a recent exploit have been fully returned. This was after the attacker cooperated with the team and accepted a bug bounty.
The incident, disclosed earlier in the day, initially saw an attacker drain USDC collateral from the protocol’s perpetuals contract. However, the situation was quickly contained, with the majority of funds secured and later recovered in full.
Bug in insurance fund logic exploited
According to Dango, the exploit stemmed from a flaw in its insurance fund donation logic.
The contract allowed users to donate to the insurance fund, but failed to verify that the donation amount was positive. This oversight enabled the attacker to manipulate the system and extract funds from the perps contract.
The team said the vulnerability was isolated and did not affect core trading functions such as order matching, profit and loss settlement, or liquidations.
Losses limited by bridge restrictions
The attacker was able to bridge approximately $410,010 USDC to Ethereum. However, an additional $1.49 million remained on-chain within Dango, thanks to built-in bridge rate limits.
This design feature prevented the attacker from fully withdrawing the exploited funds, giving the team time to respond and initiate recovery efforts.
Dango paused the chain shortly after detecting the issue and began coordinating with security partners, including the Security Alliance, as well as notifying major exchanges and stablecoin issuers.
Funds returned as attacker turns white hat
In a follow-up update, the team confirmed that the attacker returned the funds in full and was subsequently awarded a bug bounty.
Dango described the actor as a “white hat,” acknowledging their role in identifying the vulnerability and preventing further damage.
“All affected users will be made whole,” the team said, adding that user funds were never at risk beyond the isolated contract.
Protocol resumes with added safeguards
With the issue resolved, Dango is now working to deploy additional safeguards to prevent similar vulnerabilities in the future.
The platform is expected to resume operations shortly, with its points program temporarily postponed.
Final Summary
- A bug in Dango’s insurance fund logic allowed an attacker to drain funds, though bridge restrictions limited losses.
- The funds were later returned in full by a white hat, leaving users unaffected, and the protocol preparing to resume operations.
Source: https://ambcrypto.com/dango-exploit-resolved-after-white-hat-returns-funds-users-unaffected/
