DeFi privacy protocol Hinkal suffered a smart contract vulnerability attack on July 3, losing approximately $820,000 in USDC. Blockchain security firm CertiK first detected the attack, stating that the attacker used an externally owned account (EOA) to execute multiple deposits to Hinkal's smart contract after performing a "no proof of deposit" operation, withdrawing USDC. The stolen funds were converted to Ethereum, with 410 ETH involved in money laundering.
According to CertiK's security report on X, the attacker used EOA address 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20. After performing what CertiK termed a "no proof of deposit" operation, they executed a series of deposit operations to Hinkal's smart contract, enabling withdrawal of USDC without providing a valid deposit proof.
CertiK reported the stolen amount as over $800,000; on-chain investigator Specter's analysis (cited by PeckShield) indicates Hinkal's actual loss is approximately $820,000.
According to subsequent analysis by CertiK and PeckShield, the transfer path of the stolen funds is as follows:
USDC → ETH Conversion: The stolen USDC was converted to Ethereum (ETH) within hours of the attack.
Tornado Cash: 410 ETH (worth about $700,000) was deposited into Tornado Cash, a U.S. government-sanctioned Ethereum mixer.
Thorchain Bridge: 44.67 ETH was transferred from the Ethereum blockchain to the Bitcoin blockchain via Thorchain.
Bitcoin Destination Address: The funds ultimately reached a Bitcoin address starting with bc1qr2sf.
PeckShield noted that the money laundering pattern of converting USDC to Bitcoin via cross-chain bridges has been observed and recorded by anti-fraud agencies in over a year of DeFi hacker attacks.
According to DeFiLlama data, Hinkal's TVL at the time of the attack was only $829,000. The loss of approximately $820,000 means user deposits were nearly all stolen. Compared to privacy protocol competitors—Tornado Cash TVL of $440 million, Railgun $77.5 million, Privacy Pools $7.8 million—Hinkal ranked near the bottom of privacy protocols before the attack.
According to reports, Hinkal positions itself as an institutional-grade on-chain trading privacy layer, allowing users to create shielded addresses and perform swaps, transfers, and payments on public blockchains without revealing wallet balances or counterparties. The protocol is deployed on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. Hinkal raised $5.5 million from Draper Associates, Quantstamp, and NGC Ventures through seed and strategic rounds.
One day before the attack, Hinkal announced a partnership with wallet infrastructure provider Turnkey, planning to offer privacy features to Turnkey users. As of press time, Hinkal had not publicly responded to the attack on its official X account or website.
According to CertiK's security analysis, the attacker exploited a "no proof of deposit" vulnerability in Hinkal's smart contract, executing multiple deposit operations without providing valid deposit proof and withdrawing approximately $820,000 in USDC. The stolen amount nearly equaled the protocol's total TVL of $829,000 across five blockchains.
According to CertiK and PeckShield's analysis, the stolen USDC was converted to ETH. Then, 410 ETH (worth about $700,000) was deposited into Tornado Cash; 44.67 ETH was bridged to the Bitcoin blockchain via Thorchain, reaching a Bitcoin address starting with bc1qr2sf.
According to reports, Hinkal is an institutional-grade on-chain privacy protocol deployed on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. It raised $5.5 million in funding. As of press time, Hinkal has not publicly responded to the attack on its official X account or website.
Related News
Standard Chartered: Market severely underestimates Uniswap's potential for cooperation with traditional finance, UNI rises 13.3% in a single day
Ukraine brings seized crypto assets under state management for the first time, transferring 8.30 million USDT.
Drift Protocol rebrands to Velocity DEX, restart the plan after the $280 million theft
Crypto Hack Losses Fell to $75.9M in June, Humanity Exploit Leads