Whitehat returns $190K to Renegade hours after hacking the protocol

The team behind the Renegade.fi protocol said a whitehat hacker returned about $190,000 after exploiting one of its Arbitrum-based decentralized dark pools and later complying with instructions in an onchain message to return 90% of the funds.

Renegade confirmed the return of funds on Sunday after blockchain analytics platform Blockaid flagged the $209,000 exploit at 8:27 am UTC. The hacker injected malicious logic into a faulty function tied to its V1 Arbitrum dark pool to steal 27 ERC-20 tokens.

Data from Arbitrum block explorer Arbiscan shows that the whitehat returned about $190,000 to the Arbitrum wallet address “0xE4A…5CFBE,” which includes $84,370 worth of $USDC ($USDC), $27,885 in wrapped Bitcoin and $23,950 in wrapped Ether.

Source: Renegade

Whitehat hackers have come to play a crucial role in the fight against bad actors who continue to exploit crypto protocols despite strengthened security measures in recent years.

Industry initiatives like the crypto security nonprofit Security Alliance’s Safe Harbor framework have been set up to enable white hats to steal funds for temporary safekeeping while being legally protected.

In an onchain message, Renegade asked the hacker to return 90% of the funds and keep the remaining 10% as a “whitehat bounty” to avoid facing potential “civil or criminal action.”

The onchain message that Renegade sent to the hacker. Source: Arbiscan

The whitehat hacker sent more than 90% of the stolen funds back within 45 minutes and said in response to the onchain message that the action was taken to protect DeFi users:

“I've seen a lot of contempt toward my actions. Although I understand that what I did was not ethical, in the current DeFi cybersecurity, I believe this was the best solution to protect users' funds and ensure their safety.”

The whitehat hacker also hinted that Renegade should tighten up its security measures, stating that the vulnerability exploited was “tooooo simple and bad.”

Related: Crypto hackers stole $17B over past 10 years: DefiLlama

North Korean state-backed hackers “would never come to negotiate,” they added.

Renegade said the exploit appeared to have resulted from the deployment code failing to assign an explicit owner and from a faulty migration in an April 2025 software update, enabling anyone to rewrite the smart contract tied to its V1 Arbitrum dark pool.

Dark pools are private trading platforms that allow large trades to occur without exposing their intentions to, or impacting, the broader market.

Renegade added that it would publish a post-mortem with a “full root-cause analysis” explaining the security incident.

Renegade said it would fully compensate affected users, and that only 7% of its trading volume was channeled through the V1 Arbitrum dark pool and that it would contact the “small number of affected users directly.”