Renegade recovers $190K after whitehat returns stolen crypto

Renegade.fi has recovered about $190,000 after a whitehat hacker exploited a vulnerability in one of its Arbitrum-based dark pools and later returned more than 90% of the stolen assets.

Blockchain security firm Blockaid said the exploit drained roughly $209,000 from Renegade’s V1 Arbitrum dark pool at 8:27 am UTC on Sunday after an attacker injected malicious logic into a faulty function tied to the protocol’s resolver infrastructure. 

Arbiscan data showed that about $190,000 was later sent back to the wallet address “0xE4A…5CFBE,” including $84,370 in USDC (USDC), $27,885 in wrapped Bitcoin, and $23,950 in wrapped Ether.

In an on-chain message sent after the attack, Renegade offered the exploiter a 10% “whitehat bounty” in exchange for returning the remaining funds and warned that failure to cooperate could expose them to potential “civil or criminal action.” Within 45 minutes, the attacker transferred back more than 90% of the assets.

“I’ve seen a lot of contempt toward my actions,” the whitehat wrote in a response shared onchain. 

“Although I understand that what I did was not ethical, in the current DeFi cybersecurity, I believe this was the best solution to protect users’ funds and ensure their safety.”

Another message from the exploiter said the vulnerability was “tooooo simple and bad,” while also claiming that North Korean-linked hackers “would never come to negotiate.”

Faulty migration exposed Arbitrum dark pool

Renegade has confirmed that the incident stemmed from deployment code that failed to assign an explicit owner to the contract, combined with a faulty migration introduced during an April 2025 software update. 

According to the protocol, the flaw allowed anyone to rewrite the smart contract connected to its V1 Arbitrum dark pool.

Dark pools allow large traders to execute transactions privately without exposing order size or direction to the open market. Renegade said only 7% of its trading activity passed through the affected V1 Arbitrum pool and added that impacted users would be compensated directly.

A post-mortem and “full root-cause analysis” are expected to be released by the protocol in the coming days.

Recent exploits involving resolver systems, proxy contracts, and admin permissions have pushed fresh scrutiny onto DeFi infrastructure design. 

On May 7, liquidity provider TrustedVolumes lost roughly $5.87 million after attackers targeted a custom RFQ swap proxy tied to 1inch infrastructure. Blockaid linked the attacker to the March 2025 1inch Fusion V1 exploit, although it said the newer incident relied on a separate vulnerability involving the proxy setup.

Debate over contract risk intensified further after 1inch co-founder Sergej Kunz criticized shared-pool lending systems following the Kelp DAO rsETH exploit that disrupted liquidity on Aave. 

Kunz argued that “one weak collateral listing can affect an entire reserve” and later promoted intent-based lending systems where users negotiate fixed loan terms without relying on shared liquidity pools.

Separate reporting from crypto.news also showed that Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after security firms identified a compromised admin key that allowed attackers to upgrade contracts and drain funds.