Renegade.fi recovered around $190,000 after a hacker exploited a vulnerability in one of its Arbitrum-based dark pools and later returned more than 90% of the stolen assets.
summary
- Renegade recovered about $190,000 after a white hat hacker returned more than 90% of the stolen funds.
- This vulnerability targeted a flawed function associated with Renegade’s V1 Arbitrum dark array.
Blockchain security company Blockaid He said The vulnerability drained approximately $209,000 from Renegade’s V1 Arbitrum dark pool at 8:27 a.m. UTC on Sunday after an attacker inserted malicious logic into faulty functionality related to the protocol analyzer infrastructure.
Arbiscan data showed that about $190,000 was subsequently sent to the wallet address “0xE4A…5CFBE,” including $84,370 in USDC, $27,885 in wrapped Bitcoin, and $23,950 in wrapped Ethereum.
In an on-chain message sent after the attack, Renegade I offered The scalper “white-listed a bonus” of 10% for returning the remaining funds and warned that failure to cooperate could expose them to potential “civil or criminal action.” Within 45 minutes, the attacker returned more than 90% of the assets.
“I have seen a lot of disdain towards my actions,” the white hatter wrote in a response shared on the onchain.
“While I understand that what I did was unethical, in the current cybersecurity of DeFi, I believe this was the best solution to protect users’ funds and ensure their safety.”
Another message from the exploiter said the vulnerability was “very simple and bad,” while also claiming that North Korea-linked hackers “will never come to negotiate.”
False migration revealed the dark Arbitrum pool
The rebel has certain The incident was caused by deployment code that failed to assign an explicit owner to the contract, as well as a faulty migration introduced during an April 2025 software update.
According to the protocol, the flaw allowed anyone to rewrite the smart contract connected to its V1 Arbitrum dark pool.
Dark pools allow large traders to execute transactions privately without exposing order volume or direction to the open market. Renegade said that only 7% of its trading activity passed through the affected V1 Arbitrum pool and added that affected users would be compensated directly.
A post-mortem analysis and “full root cause analysis” are expected to be released by the protocol in the coming days.
Recent exploits involving analyst systems, proxy contracts, and administrator permissions have prompted new scrutiny into the design of decentralized finance infrastructure.
On May 7, liquidity provider TrustedVolumes lost Nearly $5.87 million after attackers targeted a custom RFQ swap proxy tied to 1-inch infrastructure. Blockaid linked the attacker to a 1inch Fusion V1 exploit in March 2025, though it said the more recent incident was based on a separate vulnerability involving proxy setup.
The debate over contract risk intensified further after 1inch co-founder Sergey Kunz criticized co-lending systems in the wake of the Kelp DAO rsETH exploit that disrupted Aave’s liquidity.
Kunz argued that “the inclusion of a single weak collateral can affect the entire reserve,” and later promoted intent-based lending systems where users negotiate fixed loan terms without relying on shared liquidity pools.
sporadic Preparing reports Crypto.news also showed that Wasabi Protocol lost more than $5 million across Ethereum, Base, Parachain, and Blast after security firms identified a compromised management key that allowed attackers to upgrade contracts and drain funds.
