Key Highlights
- Hinkal said the exploit was isolated to a single Ethereum smart contract.
- Deployments on all other supported blockchains were unaffected.
- The team has identified a preliminary root cause and is validating it with external security specialists.
Privacy infrastructure protocol Hinkal Protocol has shared an update on its recent security incident, confirming that the exploit was limited to a single smart contract deployed on Ethereum while emphasizing that its infrastructure on all other supported blockchains remains unaffected.
In an update posted on X on Friday, the privacy-focused stablecoin protocol said all smart contracts remain paused as a precaution while engineers continue investigating the incident alongside external security experts.
Ethereum contract was the only affected deployment
According to Hinkal, the attack did not impact its deployments outside Ethereum. “The incident was isolated to a single smart contract on Ethereum. Deployments on all other chains were not affected,” the team said.
The protocol added that it has already identified a preliminary root cause and is currently working with independent security specialists to verify its findings before publishing a complete technical analysis. The company added that all smart contracts will remain paused until the investigation is complete.
Hinkal also confirmed that blockchain security firms are tracing the stolen assets and that the incident has been reported to U.S. federal law enforcement. The protocol did not disclose additional technical details regarding the exploit, but said more information will be released once the investigation concludes.
Incident follows $820,000 Ethereum exploit
The latest update follows the security breach disclosed earlier on Friday, when Hinkal reported unusual USDC activity involving its Ethereum deployment. Subsequent on-chain analysis from multiple blockchain security firms estimated that the attacker drained approximately $820,000 through an apparent exploit involving Hinkal’s Ethereum smart contracts.
Investigators reported that the stolen USDC was converted into Ether before being laundered through Tornado Cash and later routed through THORChain, making recovery significantly more difficult. Security researchers also observed a series of identical 25,000 USDC withdrawals executed within seconds, suggesting the exploit was automated rather than manually executed.
Full technical report expected
Hinkal said it will release a complete postmortem after external validation is complete, providing further details on the exploit and the steps required to prevent similar incidents in the future.
Until then, the protocol’s smart contracts will remain paused while investigators continue tracing funds and reviewing the vulnerability that enabled the attack.
Also read: Velocity Defends Drift Rebrand After $295M Crypto Exploit

