Renegade.fi recovered nearly $190,000 after a whitehat hacker exploited a vulnerability in one of Arbitrum’s dark pools and later recovered more than 90% of the stolen assets.
Summary
- Renegade recovered nearly $190,000 after a white hat hacker recovered more than 90% of the stolen funds.
- This exploit targets a faulty function tied to the dark pool of Renegade’s V1 Arbitrum.
Blockchain security firm Blockaid said the exploit cost an estimated $209,000 in Renegade’s V1 Arbitrum dark pool at 8:27 a.m. UTC on Sunday after an attacker injected a malicious code into a bug associated with the settlement infrastructure.
Arbiscan data showed that about $190,000 was sent back to the wallet address “0xE4A…5CFBE,” including $84,370 in USDC (USDC), $27,885 in folded Bitcoin, and $23,950 in folded Ether.
In a message sent after the attack, Renegade offered the exploiter a “whitehat bouty” of 10% to return the balance and warned that failure to cooperate could expose them to possible “civil or criminal action”. Within 45 minutes, the attacker transferred back more than 90% of the assets.
“I saw a lot of disrespect for my actions,” whitehat wrote in a reply shared onchain.
“Although I understand that what I did was unethical, in the current DeFi cybersecurity system, I believe this was the best solution to protect users’ funds and ensure their safety.”
Another message from the exploiter said the vulnerability was “very simple and bad,” and also said hackers linked to North Korea “will not come to negotiate.”
Faulty migration exposed the dark pool of Arbitrum
Renegade confirmed that the incident stems from a deployment code that failed to provide a clear owner in the contract, combined with incorrect migration introduced during the April 2025 software update.
According to the protocol, the flaw allowed anyone to rewrite the smart contract connected to its V1 Arbitrum dark pool.
Dark pools allow large traders to conduct transactions in private without disclosing order size or direction to the open market. Renegade said only 7% of its trading activity went through the affected V1 Arbitrum platform and added that affected users would be directly compensated.
An autopsy and “full causal analysis” are expected to be released in the coming days.
Recent exploits involving settlement systems, proxy contracts, and administrator permissions have driven new scrutiny in DeFi infrastructure design.
On May 7, liquidity provider TrustedVolumes lost approximately $5.87 million after attackers targeted a flexible RFQ proxy integrated into 1inch’s infrastructure. Blockaid linked the attacker to the March 2025 1inch Fusion V1 exploit, although it said the new incident relies on a different vulnerability involving proxy setup.
The controversy over contract risk intensified after 1inch founder Sergej Kunz criticized shared lending systems following the Kelp DAO rsETH exploit that disrupted funding for Aave.
Kunz argued that “one weak collateral listing can affect the entire reserve” and later developed title-based lending systems where users negotiate fixed loan terms without relying on shared spending pools.
Separate reporting from crypto.news also revealed that Wasabi Protocol lost more than $5 million across Ethereum, Base, Berachain, and Blast after security firms identified a compromised control key that allowed attackers to upgrade contracts and withdraw funds.
