Hinkal is a zero-knowledge proof-based protocol that enables users to keep wallet addresses, transaction amounts, and counterparties private while allowing public, auditable settlements on major chains like Ethereum, Base, Arbitrum, and others. It supports confidential deposits, withdrawals, transfers, swaps, and DeFi interactions for stablecoins. The protocol had positioned itself as an institutional-grade solution with significant private transaction volume and multiple security audits.
On July 3, an attacker carried out the exploit through unauthorized “proofless” deposits followed by multiple transact operations on the protocol’s core contract on Ethereum. This led to the drainage of approximately $820,000 in USDC. Suspicious transactions were flagged by CertiK Alert monitoring shortly after the incident occurred.
According to security analysts, the attacker exploited a vulnerability involving a “Proofless Deposit” into the Hinkal contract, followed by multiple “Transact” calls that allowed unauthorized draining of USDC. This bypassed the standard proof verification mechanisms central to the protocol’s privacy architecture.
Funds were then converted and moved for laundering: approximately 410 ETH (valued at around $700,000 at the time) was deposited into Tornado Cash, while another 44.7 ETH was bridged to Bitcoin via THORChain.
Attack Details
No additional chains beyond the primary Ethereum/Base deployment appear to have been directly impacted in the initial reports.
Hinkal had undergone multiple independent security audits prior to the incident and positioned itself as an institutional-grade privacy solution with over $500 million in historical private transaction volume. The protocol raised approximately $6 million in funding and emphasized compliance features, including KYT enforcement at the deposit layer.
This exploit joins a series of DeFi incidents in 2026 targeting privacy and bridging protocols. For a broader overview of the security landscape that month, the June 2026 Crypto Hack Report documented 45 blockchain security incidents, highlighting ongoing risks across the ecosystem. Though smaller in scale compared to larger breaches seen earlier in the year, the Hinkal incident reflects similar patterns.
According to DefiLlama data around the time of the exploit, Hinkal’s total value locked stood at approximately $829,000 across supported chains prior to or around the time of the exploit, with the majority on Ethereum. The stolen amount represents a significant portion of its on-chain liquidity. Users with funds in shielded pools may face temporary uncertainty, though the protocol’s design isolates private transactions.
No immediate price impact data is available for a native token, as Hinkal operates without one. The broader privacy sector continues to face scrutiny over the tension between anonymity features and exploit risks.
Privacy protocols like Hinkal play a growing role in DeFi by allowing compliant yet confidential transactions for institutions and users seeking to minimize on-chain surveillance. However, the incident underscores persistent challenges in securing complex zero-knowledge implementations and deposit verification logic against sophisticated bypasses.
Recent events, such as the Solv Protocol exploit that resulted in $2.7M lost due to a smart contract vulnerability, further illustrate these recurring issues in the space. As the sector matures, rapid response, transparent post-mortems, and strengthened verification layers will remain critical for maintaining user trust.
