Dango (custom-L1 perpetual DEX; Grug engine on Tendermint): Missing sign/positivity check on `donate()` input in the insurance-fund contract — negative value reversed accounting direction

Summary #

Dango (custom-L1 perpetual DEX; Grug engine on Tendermint) suffered a Perpetual Futures DEX on 2026-04-13, resulting in a loss of approximately $2M.

What happened #

Dango's perp DEX lost $1.9M when its insurance-fund donation function accepted a negative value — letting an attacker "donate" their way to withdrawing the vault — but a bridge rate-limiter and emergency chain-pause froze $1.49M on-chain and the white-hat returned the bridged $410K for a bounty, leaving users whole.

Linked factors #

• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Presumed unaudited (no public audit on record)]
• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Partial — no formal program disclosed pre-incident; a negotiated post-exploit bounty was paid to the white-hat (amount undisclosed)]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — from-scratch L1 using custom Grug engine; not a fork of Hyperliquid, dYdX, or any existing perp DEX]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — perps contract live ~90 days at exploit (since Alpha Mainnet)]