Hinkal smart contract bug allows $820K USDC drain
A flaw in Hinkal’s stablecoin privacy protocol let an attacker exploit prooflessDeposit() and repeatedly call transact(), withdrawing about $820,000 in USDC.
Hinkal’s stablecoin privacy protocol was exploited in 2026 after a flaw in a smart contract allowed an attacker to withdraw about $820,000 in USDC from the protocol’s contract balances.
Initial analysis indicates the attacker triggered a function named prooflessDeposit() and then executed repeated transact() calls to extract funds. The precise technical defect has not been disclosed.
Blockchain forensics confirmed the loss and showed funds were taken directly from Hinkal’s smart contract balances rather than moving through an exchange. Investigators identified a coding error in the contract as the likely cause, not a failure of token standards or external components.
The incident is part of a wider series of DeFi exploits in 2026. Over the past six months there were 207 distinct hacks and reported losses in the first half of 2026 totaled $948.13 million, down from $2.3 billion in the same period of 2025. Other recent incidents include a June 20 MEV bot compromise of about $7.5 million and a flash-loan attack that extracted roughly $403,000 from an exchange.
Affected projects often pause contracts, trace fund flows, and run audits while attempting recovery. Hinkal’s team has not published a detailed postmortem or provided a timeline for fixes.
Security analysts recommend code review and formal verification to reduce the risk of implementation errors in immutable smart contracts.








