Loading Search...
Dango exploit sees $1.9M drained from its insurance fund due to a donation logic flaw, with all funds recovered and no user losses.
Author: Kritika Gupta
Steady attention without excessive speculation.
14th April 2026- Dango, a newly launched decentralized perpetual futures platform, suffered a $1.9 million exploit after a flaw in its insurance fund’s donation logic allowed an attacker to drain USDC collateral from the perps contract. The issue stemmed from a smart contract validation failure. Specifically, the donation function did not properly check that incoming donation amounts were positive. As a result, the exploiter was able to manipulate the insurance fund accounting and withdraw funds.
High Signal Summary For A Quick Glance
as required.
@0xasrequired
@dango donations to the insurance fund are such a superfluous feature -- it is very unlikely people would donate, but now it's caused this hack such a simple exploit too. Shouldn't these -ve number edge cases be standard checks for auditing firms? @zellic_io
Earlier today, Dango experienced a security incident. An attacker exploited a bug in the insurance fund's logic and drained USDC collateral held in the perps contract. The bug is that the insurance fund allows anyone to donate to it, but it fails to check that the donation
02:14 PM·Apr 13, 2026
Neo
@Ne0xf
@dango putting your junior dev at work for the insurance logic is wild but aside from that; yet another chain they can freeze on demand, and "recover" the stolen funds lol. people use this garbage and then come on X to advertise it as being decentralized.
Earlier today, Dango experienced a security incident. An attacker exploited a bug in the insurance fund's logic and drained USDC collateral held in the perps contract. The bug is that the insurance fund allows anyone to donate to it, but it fails to check that the donation
01:53 PM·Apr 13, 2026
ALHADJI_ACE
@alhadji_ACE
@dango Man is this not getting too much already? Exploitation and hacks everyday When will Web3 grow up This is why no one is taking us serious as an industry. Sad sad!
Earlier today, Dango experienced a security incident. An attacker exploited a bug in the insurance fund's logic and drained USDC collateral held in the perps contract. The bug is that the insurance fund allows anyone to donate to it, but it fails to check that the donation
12:43 PM·Apr 13, 2026
Dango had only recently launched its DEX and introduced an insurance fund designed to absorb trading-related losses and protect platform stability. Additionally, the protocol included a donation feature that allowed users or third parties to contribute liquidity to the insurance pool.
However, the smart contract failed to sanitize inputs correctly. Because the function accepted non-positive donation values, the attacker exploited the flawed accounting logic and drained approximately $1.9 million in USDC collateral. Notably, the exploit affected the insurance layer only and did not put user positions or trader balances at risk.
Similar donation-style exploits have appeared in DeFi before. For example, the Resupply protocol exploit in June 2025 involved attackers abusing faulty vault accounting. They deposited validation logic, leading to a $9.5 million loss. Likewise, comparable vulnerabilities have affected lending and yield protocols such as Venus and multiple ERC-4626 vault implementations.
These incidents continue to highlight how simple input validation failures can escalate into multi-million-dollar losses.
Dango responded quickly. Within minutes of detecting the exploit, the team paused the chain to prevent further movement of funds. At the same time, they worked with SEAL_911, a well-known crypto security response network, to alert Circle and major centralized exchanges in order to freeze any bridged USDC where possible.
Although the attacker initially moved funds across the bridge, rate limits significantly reduced the damage. Only $410,010 was successfully bridged to Ethereum, while approximately $1,490,012 remained recoverable on Dango’s own chain. The team later confirmed that all funds have now been fully recovered, and importantly, no user losses occurred.
Moreover, the exploiter has reportedly been identified as a white-hat actor, and Dango has opened bug bounty discussions as part of the resolution process. The vulnerable donation logic has now been completely removed, and the team is conducting further security reviews before restarting operations. Following the Dango exploit, the vulnerable donation logic has now been completely removed, and the team is conducting additional security reviews before relaunching operations.
This incident once again shows that DeFi exploits do not always require complex attack vectors. In many cases, basic business logic flaws, especially around fund accounting and edge-case validation, remain the biggest risk. For perpetual DEXs, insurance funds are especially sensitive because they serve as the final layer of loss absorption during extreme volatility.
Therefore, even though this exploit did not affect users directly, it raises broader concerns around pre-launch audits, invariant testing, and real-time monitoring systems. In the short term, Dango has postponed its points farming program, which may temporarily slow platform momentum and user activity.
However, the full recovery of funds and the transparent response could ultimately strengthen market confidence, especially compared with exploits where funds remain unrecovered. This event is likely to push newer perp DEXs toward stricter audit standards for insurance fund mechanics and donation modules before launch.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
ZachXBT Accuses KuCoin of Enabling $13M in Laundering
Dango Exploit Drains $1.9M But Recovered Funds Fully
Hyperbridge Exploit Hits Polkadot’s Ethereum Bridge
FBI Reports Crypto Scams Cost Americans $11.4B in 2025
ZachXBT Accuses KuCoin of Enabling $13M in Laundering
Dango Exploit Drains $1.9M But Recovered Funds Fully
Hyperbridge Exploit Hits Polkadot’s Ethereum Bridge
FBI Reports Crypto Scams Cost Americans $11.4B in 2025
