The team behind the Renegade.fi protocol said the whitehat hacker returned approximately $190,000 after using one of its Arbitrum-based decentralized dim pools and later following instructions in an onchain message to refund 90% of the funds.
Renegade confirmed refund on Sunday on the Blockaid analytics platform tiled the $209,000 exploit at 8:27 UTC. The hacker injected malicious logic into a faulty function associated with the Arbitrum V1 dim pool to steal 27 ERC-20 tokens.
Data from block explorer Arbitrum Arbiscan shows that whitehat returned approximately $190,000 to the Arbitrum wallet address “0xE4A…5CFBE”, which includes $84,370 in USDC (USDC), $27,885 in wrapped Bitcoin, and $23,950 in wrapped Ether.
Source: Renegade
White hat hackers have begun to play a key role in the fight against exploiters, who continue to exploit cryptographic protocols despite enhanced security measures in recent years.
Industry initiatives like the cryptocurrency security nonprofit Security Alliance’s Unthreatening Harbor framework were created to allow white hatters to steal funds for short-lived safekeeping while still providing legal protection.
In an onchain message, Renegade he asked refund 90% of the funds to the hacker and keep the remaining 10% as a “white hat bounty” to avoid potential “civil or criminal proceedings.”
The onchain message that Renegade sent to the hacker. Source: Arbiscan
The white hat hacker sent back over 90% of the stolen funds within 45 minutes and in response to the onchain message said that measures have been taken to protect DeFi users:
“I saw a lot of disdain towards my actions. While I understand that what I did was unethical, in the current DeFi cybersecurity situation, I believe it was the best solution to protect users’ funds and keep them safe.”
The white hat hacker also suggested that Renegade should tighten its security measures, stating that the exploited vulnerability was “too simple and bad.”
Related: Crypto hackers have stolen $17 billion in the last 10 years: DefiLlama
State-backed North Korean hackers “would never enter negotiations,” they added.
Renegade said the exploit likely resulted from the implementation code failing to assign a clear owner and a faulty migration in an April 2025 software update that allowed anyone to rewrite the shrewd contract associated with the Arbitrum V1 dim pool.
Gloomy pools are private trading platforms that allow huge trades to be made without revealing their intentions or impact on the wider market.
Renegade added that it would release an autopsy with a “full root cause analysis” explaining the security incident.
Renegade stated that it would fully compensate affected users and that only 7% of its trading volume was transferred through the V1 Arbitrum dim pool and that it would contact “a small number of affected users” directly.
Warehouse: AI-powered hacks could kill DeFi – unless projects start acting now
