Renegade recovers 90% after Arbitrum dark pool exploit, sets full compensation and patch plan

Renegade says it has recovered over 90% of the funds lost in the Arbitrum dark pool exploit after an on-chain negotiation with the attacker. The exploit drained about $209,000 across 27 ERC-20 tokens from its older Arbitrum V1 dark pool deployment. Blockaid attributed the root cause to an unprotected initializer in the Dark Pool proxy, allowing attackers to inject logic through the contract (an access-control failure). Renegade posted an on-chain request to return 90% of the affected assets and let the attacker keep 10% as a “whitehat bounty” to reduce legal escalation. The attacker later claimed it transferred all affected tokens to Renegade’s specified address, retaining roughly 20,000 USDC as the bounty. Renegade stressed the action remains unauthorized, so the Arbitrum dark pool exploit is still a serious incident. Renegade will fully compensate affected users and plans to publish a full postmortem. It also cited a deployment issue (no explicit contract owner set) plus a faulty migration introduced in an April 2025 update. Other deployments—V1 Base, V2 Arbitrum, and V2 Base—were reported unaffected. For traders, the Arbitrum dark pool exploit has shifted from “confirmed loss” toward a recovery path, but market attention will likely focus on reimbursement timing and the technical details of the security patch.