Renegade recovers $190K after hacker returns 90% of stolen funds

Renegade, the DeFi protocol behind the first on-chain dark pool on Arbitrum, got most of its money back. A whitehat hacker who drained roughly $209K from the platform on May 10 returned approximately $190K the following day, keeping around $21K as a self-appointed bounty.

What happened and how the exploit worked

The vulnerability lived in an unprotected initializer within Renegade’s dark pool proxy contract. A critical setup function that should have been locked down was left open, letting the attacker use a delegate call to seize control and drain funds.

The exploit affected 27 different ERC-20 tokens held in the dark pool. Renegade moved quickly after detecting the breach, sending an on-chain message to the exploiter’s address offering terms for the return of funds. The deal was straightforward: send back 90%, keep 10% as a bounty, and walk away clean. The hacker accepted within roughly a day.

The affected implementation address was identified as 0xc038933d0b33359f5C87B4B2f92Ee0DAd11EaDc5. Renegade urged users to revoke any token approvals associated with that address to prevent further risk.

The bigger picture on DeFi security

April 2026 saw over $632 million stolen across more than 20 protocols, with high-profile cases like the KelpDAO exploit contributing to that figure. Against that backdrop, losing $209K and recovering 90% of it represents a markedly different outcome.

Renegade launched on Arbitrum One in early 2026, making it a relatively young protocol at the time of the exploit. The hacker claimed the action was intended to protect users within DeFi.

What this means for investors

For Renegade users specifically, the immediate financial damage was limited. Recovering $190K of the $209K drained means the net loss sits at roughly $21K. Individual users whose tokens were among the 27 affected may have experienced temporary disruption.

An unprotected initializer is a preventable issue. It raises questions about the depth of Renegade’s audit coverage and whether its smart contract review process caught other potential vulnerabilities.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.