Hinkal Privacy Protocol Drain
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.
An attacker drained $820,000 in USDC from privacy protocol Hinkal — nearly its entire cross-chain TVL — via unverified 'proofless' deposits, then laundered it through Tornado Cash and THORChain.
A flash-loan-funded attacker inflated Edel Finance's internal wGOOGLx exchange rate ~78x, borrowing against phantom tokenized-Google-stock collateral to leave about $403,000 in bad debt.
A confused-deputy access-control flaw in New Market Trading's third-party SquidRouterModule let an attacker drain roughly $3.8 million from 88 Gnosis Safe wallets across Ethereum, Base, and Arbitrum.
~$10.8M drained from THORChain Asgard vaults across nine chains via a suspected GG20 threshold-signature flaw exploited by a malicious node operator.
Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.
1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.
~$1.78M drained from Moonwell on Base after a newly listed market used a price feed with a decimals mismatch, mis-valuing collateral so attackers borrowed out.