Hinkal Privacy Protocol Drain
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
A deflationary-burn flaw in the OLPC token created a reserve mismatch on a PancakeSwap V2 pool, letting an attacker buy out LABUBU at a distorted price and drain about $1.1M.
An attacker minted a worthless EVIL token to distort mySwap's concentrated-liquidity pool accounting on Starknet and drained about $305K of residual LP funds.
An IBC transfer-logic flaw let an attacker sweep roughly $600,000 of shielded assets from Namada's Multi-Asset Shielded Pool, briefly masked by a stale indexer.
A zero-value transferFrom bypassed an allowance check and triggered an unauthorized reward mint into the PancakeSwap pair, letting an attacker drain about $378,000 from Little Boy Plus.
An attacker drained roughly $2.16M from Aztec's deprecated Private Rollup Bridge via an unguarded escapeHatch and spoofed proof data — Aztec's second hack in a week.
A missing return statement in the DIP token's _transfer function let an attacker desync its PancakeSwap reserves with skim/sync and drain roughly $111,000 in USDC.
An integer-division rounding bug in a long-deprecated Thetanuts Finance vault let an attacker mint option tokens for free and drain about $2.1M on Ethereum; white-hats clawed back roughly $2M.
An attacker drained roughly $2.1M from the deprecated Aztec Connect bridge by exploiting incomplete proof validation, withdrawing unbacked balances from immutable contracts.
An attacker drained roughly $1.34M from five dormant Raydium AMM V3 pools on Solana by minting a fake LP token that bypassed the deprecated program's withdrawal checks.
A signature-verification flaw in the Zodiac Delay Module let an attacker bypass Gnosis Pay's time-delay and drain roughly $1.5 million from 5,281 user Safes; Gnosis restored 100% of funds.
A confused-deputy access-control flaw in New Market Trading's third-party SquidRouterModule let an attacker drain roughly $3.8 million from 88 Gnosis Safe wallets across Ethereum, Base, and Arbitrum.
Cross-chain aggregator Transit Finance lost ~$1.88M in DAI on May 13, 2026 — a second multi-million-dollar incident after its October 2022 proxy-approval breach.
Rhea Finance on NEAR lost $18.4M after a two-day setup of fake tokens, 423 wallets and 8 Ref pools exploited a slippage-summing flaw in margin trading.
Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.
SagaEVM lost $7M in 11 minutes when an Ethermint bug let crafted messages bypass validation, minting Saga Dollar (D) without collateral and bridging to ETH.
TMXTribe, a staking/rewards protocol, lost ~$1.4M when a distribution accounting flaw let an attacker repeatedly over-claim, draining the reward reserve.
Truebit lost $26.4M when an integer overflow in TRU's five-year-old bonding-curve contract let the attacker mint TRU near-free and sell back for 8,500 ETH.