TL;DR:
- A white hat hacker attacked the Renegade protocol and returned nearly $190,000 hours after stealing 27 ERC-20 tokens on Arbitrum.
- Analytics platform Blockaid detected the $209,000 exploit at 8:27 UTC; the hacker kept 10% as a bounty.
- Renegade attributed the vulnerability to a faulty migration in its April 2025 update and promised to compensate affected users.
The decentralized dark pools protocolĀ RenegadeĀ was attacked on Sunday by a white hat hacker who withdrew 27 ERC-20 tokens from its V1 pool on theĀ ArbitrumĀ network, valued at approximatelyĀ $209,000Ā according to blockchain security platform Blockaid, which detected the incident at 8:27 UTC. In less thanĀ 45 minutes,Ā the hacker returned nearly $190,000Ā to the Arbitrum address “0xE4Aā¦5CFBE”, which included $84,370 in USDC, $27,885 in wrapped Bitcoin and $23,950 in wrapped Eth.
The attack was possible because the deployment code did not assign an explicit owner to the smart contract, and a faulty migration in the April 2025 software updateĀ allowed anyone to overwrite the contract linked to the V1 pool. The hacker injected malicious logic into a defective function to carry out the theft.
Renegade Managed to Negotiate with the Hacker
Renegade responded to the incident by sending anĀ onchain messageĀ in which itĀ offered the hacker 10%Ā of the funds as a bounty in exchange for the return of the remaining 90%, also warning them of potential civil or criminal action if the agreement was not honored.
TheĀ hackerĀ complied and justified their actions in a response also recorded on-chain: “Although I understand that what I did was not ethical, in the current context of DeFi cybersecurity,Ā I believe this was the best solution to protect users’ funds.” They also pointed out that the exploited vulnerability was “too simple and severe“, urging the team to strengthen its security measures. The hacker added that actors such as North Korean hackers “would never come to negotiate.”
The protocol confirmed thatĀ only 7% of itsĀ tradingĀ volume was processed through the affected V1 pool, meaning the operational impact was limited. Renegade committed to contacting affected users directly,Ā compensating them in fullĀ and publishing a complete forensic analysis of the incident. Dark pools are private trading platforms designed to execute large transactionsĀ without exposing participants’ intentions to the broader market, which makes them sensitive infrastructure within the DeFi ecosystem.
