Skip to content

exploit

Hinkal drained for ~$820K on Ethereum after proofless-deposit bug bypasses ZK verification

An attacker skipped Hinkal's zk verification with a 'Proofless Deposit', drained ~$820K in USDC on Ethereum, and laundered 410 ETH via Tornado Cash plus 44.7 ETH bridged to Bitcoin over THORChain.

by 5 min read

Hinkal, a zero-knowledge privacy layer for stablecoin transfers and DeFi actions, was drained for ~$820,000 in USDC on Ethereum on July 2, 2026 after an attacker executed what the protocol and outside researchers labelled a "Proofless Deposit" — a call path that bypassed the zk verification step that normally gates deposits — and then withdrew funds through a chain of Transact calls on the pool contract. On-chain investigator Specter flagged the drain first, and PeckShieldAlert confirmed the loss within the hour. Hinkal's public post-incident statement pauses all contracts, commits to making affected users whole, and confirms the incident has been reported to U.S. federal law enforcement (see the CryptoTimes write-up of the initial cause disclosure, and the CryptoAdventure follow-up on the reimbursement commitment).

Only the Ethereum pool was affected. Contracts on Solana, Arbitrum, Base and Tron remain paused as a precaution but were not touched.

What happened

Hinkal markets itself as a confidential-transaction layer — deposits into a shared pool, private transfers within it, and withdrawals that mask the counterparty graph — anchored by zk proofs that a deposit is valid before pool balances can be moved. The exploit did not break the proof system itself. It skipped it.

The attacker's EOA, 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20, first interacted with the Hinkal pool contract at block 25,448,306 with a call the reporting tags as a "Proofless Deposit" — a transaction that credited the pool state without a valid proof accompanying it. From there, a series of Transact calls dispatched 25,000-USDC outbound transfers to the attacker address across blocks 25,448,345–25,448,347, i.e. under a minute of chain time, until the pool's USDC balance was drained (~797,000 USDC by Hinkal's own accounting; ~$820,000 by third-party trackers).

Hinkal's own post-mortem posture, as reported, is that a preliminary root cause has been identified but not published: engineers are working with external security firms to verify the finding before disclosing the specific verification-bypass primitive. Until then, treat the "proofless deposit" label as descriptive of the observed call path, not as a full class name for the bug.

Numbers

- Chain                     : Ethereum
- Protocol                  : Hinkal (privacy layer)
- Attacker EOA              : 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20
- Hinkal pool contract      : 0x25e5e82f…bAdFca826 (partial per reporting)
- First malicious tx        : block 25,448,306 ("Proofless Deposit")
- Outbound drain window     : blocks 25,448,345 – 25,448,347
- Transfer unit             : 25,000 USDC per outbound tx
- USDC drained (Hinkal)     : ~797,000
- USDC drained (trackers)   : ~$820,000
- Converted at time of drain: ~454 ETH
- Sent to Tornado Cash      : ~410 ETH (~$700,000)
- Bridged to Bitcoin (THOR) : ~44.7 ETH
- BTC destination           : bc1qr2sf…zn3w (partial per reporting)
- Detection window          : ~1 hour after drain (Specter → PeckShieldAlert)
- Other chains touched      : none — Solana, Arbitrum, Base, Tron unaffected
- Time of first drain tx    : ~19:05 UTC, July 2, 2026 (per CryptoAdventure)

The ~454 ETH intermediate figure is the sum of the on-chain USDC→ETH conversions the attacker performed before mixing; the ~$820K vs ~$797K spread is dollar-price slippage between the drain window and the tracker snapshot, not a discrepancy in what left the pool.

Skeptical attribution

No named actor. Specter and PeckShieldAlert surfaced the drain; neither has attributed it to a known group. Tornado Cash routing followed by THORChain-to-Bitcoin bridging is a familiar pattern — it fits recent DPRK-linked drains but also fits every other operator that has read a Chainalysis report. Absent an FBI, OFAC or court filing naming the operator, the wallet should be read as an anonymous privacy-layer exploiter, and any "Lazarus" framing at press time is speculation.

Hinkal has confirmed that the incident has been reported to U.S. federal law enforcement and that outside firms are tracing the funds — that is the correct next step, not attribution in itself.

Hinkal's response

  • All contracts paused — Ethereum pool, plus the untouched Solana, Arbitrum, Base and Tron deployments, as a precaution while the fix is verified.
  • Users made whole. Per Hinkal's statement, affected depositors' balances will be restored in full; process and timing will be published once the fix is verified.
  • Preliminary root cause identified. Not yet published; the protocol is coordinating disclosure with external security firms.
  • U.S. federal law enforcement notified. Chain-analytics firms are tracing the mixed funds.

What to watch

  1. The specific verification-bypass primitive. "Proofless Deposit" is the label on the trace; the underlying question is whether the pool accepted a deposit whose zk verifier call reverted-but-was-swallowed, or whether the deposit path had a code branch that skipped the verifier entirely. The two failure modes point at different classes of fix.
  2. Whether the drain window was the first exploit or the first successful one. If earlier attempts show the same signature and reverted, the vulnerability is older than July 2; if not, it was inserted or unlocked by a recent deploy.
  3. Movement of the ~44.7 ETH parked on Bitcoin. THORChain-side movements are visible in real time and give the best chance of tracing the operator without a Tornado Cash de-mix.
  4. Any coordinated pause across other zk privacy layers. The affected contract handled USDC deposits on Ethereum only; other zk-privacy pools with similar deposit paths (there are several in production) should audit for the same class of bypass. Whether they do is a signal on how the ecosystem reads the disclosure.

Context — proof-bypass drains are the class the zk stack has to get right

Privacy pools live and die on the invariant that no deposit credit occurs without a valid proof. When that invariant fails — in this case via a call path that produced a deposit credit without the proof gate holding — the pool's shielded balance becomes a checkbook the attacker can write against. The pattern is not new: Tornado Cash's proposal-execution flow was itself abused via a governance takeover in March 2026 with a lookalike malicious proposal, and 2024–25 saw several smaller privacy pools drained through commitment-hash and nullifier bugs. What sets Hinkal apart is that the drain here was not a cryptographic soundness break but an implementation gap in front of the verifier — the harder failure mode to audit for, because it lives in glue code rather than in the constraint system.

Sources:

Related stories