Hinkal DeFi vulnerability loss of $820,000, involving 410 ETH in money laundering

ETH6.09%
ARB1.49%
OP4.10%

DeFi privacy protocol Hinkal suffered a smart contract vulnerability attack on July 3, losing approximately $820,000 in USDC. Blockchain security firm CertiK first detected the attack, stating that the attacker used an externally owned account (EOA) to execute multiple deposits to Hinkal's smart contract after performing a "no proof of deposit" operation, withdrawing USDC. The stolen funds were converted to Ethereum, with 410 ETH involved in money laundering.

CertiK: Attacker Withdrew USDC from Hinkal Smart Contract via "No Proof of Deposit" Vulnerability

According to CertiK's security report on X, the attacker used EOA address 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20. After performing what CertiK termed a "no proof of deposit" operation, they executed a series of deposit operations to Hinkal's smart contract, enabling withdrawal of USDC without providing a valid deposit proof.

CertiK reported the stolen amount as over $800,000; on-chain investigator Specter's analysis (cited by PeckShield) indicates Hinkal's actual loss is approximately $820,000.

Stolen Funds Laundering Path: USDC Converted to ETH and Transferred via Tornado Cash and Thorchain

According to subsequent analysis by CertiK and PeckShield, the transfer path of the stolen funds is as follows:

USDC → ETH Conversion: The stolen USDC was converted to Ethereum (ETH) within hours of the attack.

Tornado Cash: 410 ETH (worth about $700,000) was deposited into Tornado Cash, a U.S. government-sanctioned Ethereum mixer.

Thorchain Bridge: 44.67 ETH was transferred from the Ethereum blockchain to the Bitcoin blockchain via Thorchain.

Bitcoin Destination Address: The funds ultimately reached a Bitcoin address starting with bc1qr2sf.

PeckShield noted that the money laundering pattern of converting USDC to Bitcoin via cross-chain bridges has been observed and recorded by anti-fraud agencies in over a year of DeFi hacker attacks.

Hinkal's TVL Before Attack Was $829,000, Nearly Entirely Drained

According to DeFiLlama data, Hinkal's TVL at the time of the attack was only $829,000. The loss of approximately $820,000 means user deposits were nearly all stolen. Compared to privacy protocol competitors—Tornado Cash TVL of $440 million, Railgun $77.5 million, Privacy Pools $7.8 million—Hinkal ranked near the bottom of privacy protocols before the attack.

Hinkal Background: Operates on Five Blockchains, Raised $5.5 Million in Funding

According to reports, Hinkal positions itself as an institutional-grade on-chain trading privacy layer, allowing users to create shielded addresses and perform swaps, transfers, and payments on public blockchains without revealing wallet balances or counterparties. The protocol is deployed on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. Hinkal raised $5.5 million from Draper Associates, Quantstamp, and NGC Ventures through seed and strategic rounds.

One day before the attack, Hinkal announced a partnership with wallet infrastructure provider Turnkey, planning to offer privacy features to Turnkey users. As of press time, Hinkal had not publicly responded to the attack on its official X account or website.

Frequently Asked Questions

How did the Hinkal attack occur?

According to CertiK's security analysis, the attacker exploited a "no proof of deposit" vulnerability in Hinkal's smart contract, executing multiple deposit operations without providing valid deposit proof and withdrawing approximately $820,000 in USDC. The stolen amount nearly equaled the protocol's total TVL of $829,000 across five blockchains.

Where did the stolen funds ultimately go?

According to CertiK and PeckShield's analysis, the stolen USDC was converted to ETH. Then, 410 ETH (worth about $700,000) was deposited into Tornado Cash; 44.67 ETH was bridged to the Bitcoin blockchain via Thorchain, reaching a Bitcoin address starting with bc1qr2sf.

What is the Hinkal protocol, and is there an official response?

According to reports, Hinkal is an institutional-grade on-chain privacy protocol deployed on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. It raised $5.5 million in funding. As of press time, Hinkal has not publicly responded to the attack on its official X account or website.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments