Hinkal Says Users Will Be Made Whole After 797K USDC Exploit
0
0

Hinkal said affected users will be made whole after an attacker withdrew about 797,000 USDC from one of its Ethereum contracts.
The exploit began at 19:05 UTC on July 2, when the attacker withdrew funds through a series of transactions from an affected Hinkal pool on Ethereum. The attacker converted the stolen USDC into about 454 ETH.
The follow-up confirms the incident details that were still pending when the first Hinkal exploit alert surfaced from onchain monitoring. The earlier estimate placed the loss near $820,000 and tracked the attacker’s movement into Tornado Cash and Bitcoin.
Hinkal said the incident was limited to the affected Ethereum pool. Contracts on other chains were not affected, but all Hinkal smart contracts remain paused while the team prepares and verifies a fix.
Funds Moved Through Tornado Cash And THORChain
The attacker moved 410 ETH into Tornado Cash and bridged another 44.67 ETH from Ethereum to Bitcoin through THORChain. Hinkal said the full flow of funds is being tracked with external security specialists.
The project has traced how the funds were withdrawn and is validating the root cause with external specialists. A full technical breakdown is expected after the fix is prepared and verified.
The confirmed flow matches the laundering route flagged in the first onchain alert. Tornado Cash received most of the ETH, while THORChain handled the cross-chain route into Bitcoin. That leaves investigators tracking both mixer deposits on Ethereum and the Bitcoin-side movement that followed the bridge transaction.
Recent exploit cases have used similar post-incident routes. The UXLINK exploiter sent 3,700 ETH through Tornado Cash, while the KelpDAO attacker also used Tornado Cash and THORChain during the laundering phase.
Contracts Stay Paused During Fix
All Hinkal smart contracts remain paused as a precautionary measure. No interaction with the contracts is possible while the fix is being prepared and reviewed.
Hinkal said no user action is required and that no user action can put funds at risk while the contracts remain paused. The project is also engaging relevant authorities and said official updates will come only through its official X account, Telegram and Discord.
The reimbursement plan has not been published yet. Hinkal said all affected funds will be returned in full and that the exact process and timing will be shared once the fix is verified.
As of July 4, the confirmed loss stood at about 797,000 USDC, all Hinkal contracts remained paused, and affected users were promised 1:1 reimbursement.
The post Hinkal Says Users Will Be Made Whole After 797K USDC Exploit appeared first on Crypto Adventure.
0
0
Securely connect the portfolio you’re using to start.






