Hinkal smart-contract flaw led to $820K USDC theft
A flaw in Hinkal’s smart contract let an attacker withdraw about $820,000 in USDC by abusing prooflessDeposit() and repeated transact() calls.
Hinkal, a stablecoin privacy protocol, suffered an exploit that permitted an attacker to withdraw roughly $820,000 in USDC from a smart contract. The activity was visible on public blockchain records and flagged by monitoring tools.
The attacker manipulated the contract’s prooflessDeposit() path and then executed a series of transact() calls to extract funds that should have remained locked. Initial technical review points to missing or incorrect validation of deposit operations and of the cryptographic proofs the protocol uses for privacy guarantees.
The apparent flaw allowed withdraw-like operations to be invoked multiple times against the same funds. The precise code error has not been published; further analysis by developers and external security teams is under way to produce a full technical breakdown.
On-chain analysis and security monitors detected the anomalous transactions. Hinkal’s developers and independent security firms are tracing the stolen USDC and reviewing contract logic to determine the exploit’s scope and whether any funds can be recovered.
The incident occurred amid continued losses in decentralized finance. Data compiled over the past six months records 207 distinct hacks and about $948.13 million in losses, compared with $2.3 billion stolen in the first half of 2025. Recent individual incidents included a $7.5 million exploit of an MEV bot and a roughly $403,000 flash-loan attack on a wrapped xStocks market.
Audits and formal verification are common defenses for smart-contract code. Implementation errors in contract logic can permit immediate and irreversible transfers because transactions on public blockchains are final once executed.








