How a smart contract flaw in the Hinkal protocol led to an $820,000 USDC exploit


Another day, another exploit.

News has spread that the privacy protocol of the Hinkal stablecoin may have been hacked. The suspected exploit appears to be due to a flaw in one of its smart contracts.

The flaw reportedly allowed the attacker to take approximately $820,000 worth of USDC from the system.

Initial reports indicate that the attacker obtained funds that were not intended to be accessed. The attacker was able to do this by manipulating Hinkal non-provable deposit)) function and then create a string of transaction() Calls.

Hinkal Stablecoin privacy protocol exploitedHinkal Stablecoin privacy protocol exploited
Source: GoPlus Security/X

The technique used to carry out the attack

in spite of Subtle technical glitch Still unknown, the attack suggests that the protocol may have failed to verify the authenticity of deposits or verify cryptographic proofs that underpin Hinkal’s privacy architecture.

This may have allowed the attacker to repeatedly call parameter() and withdraw the USDC held under the smart contract. As a result, a coding error resulted in a real financial loss.

However, the suspected Hinkal exploit points to a vulnerability in the smart contract code, which is one of the most enduring threats in decentralized finance (DeFi). While the incident does not indicate a flaw in DeFi itself, it does illustrate how implementation errors can lead to significant financial losses.

Rise in feats in 2026

This comes at a time when other exploits have occurred recently. On June 20, the Jaredfromsubway.eth Maximum Extractable Value (MEV) bot was exploited, resulting in… Losses amounting to $7.5 million.

In another case, a hacker used a flash loan to manipulate the xStocks envelope exchange rate, resulting in approx. $403,000 exploit to Edel Finance.

Taking all of this together, it is clear that scams have increased significantly in 2026. In fact, in the past six months, there have been 207 different hacks, According to TRM Laboratories.

But despite the rise in incidents, DeFiLlama data showed total losses reached $948.13 million, less than half of the $2.3 billion stolen in the first half of 2025.

High total penetrations in 2026High total penetrations in 2026
Source: Devilama

Final summary

  • Exploit of Hinkal Stablecoin privacy protocol led to USDC hack worth $820,000.
  • The attacker abused Hinkal’s ProoflessDeposit() function and then made a series of transact() calls to perform this attack.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *