QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 550 000 USD
JULY 2025
GLOBAL
KINTO
DESCRIPTION OF EVENTS
Kinto is a modular exchange and non-custodial wallet platform designed to bring together the strengths of decentralized finance (DeFi) and traditional finance. Its infrastructure prioritizes user security and ease of use, offering insured wallets and a network tailored to meet the high standards of both sectors. Kinto promotes itself as a bridge between these financial systems, creating a seamless experience where users can safely engage with diverse financial instruments, including those typically unavailable on other chains, such as U.S. equities.
One of Kinto’s defining features is its verified user base and wallet insurance, aiming to eliminate the risks of anonymity-driven scams that have historically impacted DeFi. This verification system not only enhances safety but also unlocks new financial opportunities by ensuring regulatory compliance. Developers benefit from native support for Know Your Customer (KYC) processes and investor accreditation within an OFAC-compliant ecosystem, removing long-standing barriers that have hindered integration between on-chain protocols and traditional finance.
Kinto positions itself as a neutral, decentralized foundation for the next generation of finance—one that is transparent, inclusive, and secure. It offers a unified environment for both individuals and institutions to participate confidently in the evolving financial landscape. By merging security, regulatory compliance, and decentralization, Kinto aims to redefine how financial services are built and accessed, ensuring that the benefits of future finance are available to all.
A vulnerability existed where if this slot isn’t properly initialized during deployment, it becomes possible to write a second, hidden implementation in the same storage page at a different offset. While block explorers would show the expected, legitimate implementation, the hidden one remained invisible and dormant, waiting to be triggered.
If an EIP-1967 initialation slot isn’t properly initialized during deployment, it becomes possible to write a second, hidden implementation in the same storage page at a different offset. While block explorers would show the expected, legitimate implementation, the hidden one remained invisible and dormant, waiting to be triggered.
At a chosen moment, the attacker switched the proxy’s pointer to this hidden implementation. Doing so granted them control over the contract, allowing them to upgrade it again—this time to a malicious version with minting functionality. This effectively gave the attacker unauthorized access and control, bypassing intended restrictions and enabling them to manipulate the token supply.
The $K token on Arbitrum was impacted because it used a common transparent-proxy ERC-20 pattern, which included the flawed initialization behavior. This pattern was based on OpenZeppelin libraries that are widely used and have been heavily audited, but the deployment still inherited the latent vulnerability. Crucially, no part of the exploit involved code written by the Kinto core team or running on Kinto’s Layer 2—only the proxy setup on Arbitrum was affected.
The exploit let attackers mint 110k tokens, draining $1.55 million from Uniswap and Morpho pools.
Kinto responded quickly to confirm that the exploit occurred entirely off its network, specifically targeting the $K token’s proxy deployment on Arbitrum. They reassured users that all funds bridged into the Kinto Layer 2 network remained secure, with no impact on user wallets, the bridge, or vaults. A full investigation was launched immediately, with support from security partners including Seal 911, Hypernative, Venn, and ZeroShadow. Kinto emphasized transparency and promised to publish more details as they became available.
The outcome of the incident was a loss of approximately $1.55 million in liquidity from Uniswap V4 and Morpho Blue due to a proxy exploit that allowed an attacker to mint unlimited $K tokens. The market cap of $K dropped by over 95%, and suppliers on Morpho were left exposed, with $3.2 million owed. In response, Kinto froze centralized exchange trading, withdrew remaining liquidity, and began collaborating with security experts and investigators to trace the attacker. Although Kinto’s core infrastructure remained untouched, the reputational and financial damage was significant. A recovery plan is underway, including a full token migration, balance restoration to pre-hack levels, and liquidity reboot using both internal funds and external support.
Kinto plans to recover by deploying a new, secure $K token contract on Arbitrum and restoring all balances to their state before the hack (block 356170028). Centralized exchange trading has been frozen, and remaining liquidity was withdrawn. The team will reopen trading at the pre-hack price after reseeding liquidity through a small recovery fund. Morpho lenders will be given a 90-day window to recover most of their funds, with any shortfall covered by team funds or newly issued assets. Additionally, wallets that bought $K after the hack but before the first public alert will receive pro-rata compensation in the new token.
The situation remains ongoing as Kinto continues its investigation with security partners to trace the attacker and recover funds. A new $K token is being prepared with balance restoration to the pre-hack state, alongside efforts to raise capital and reboot liquidity. Morpho users are in a 90-day remediation window, and plans are being finalized to compensate early post-hack buyers. Recovery actions, trading relaunch, and community restitution are all still in motion.
Kinto, a modular DeFi platform bridging decentralized and traditional finance, suffered a major off-network exploit through a vulnerability in the proxy deployment of its $K token on Arbitrum. The flaw allowed an attacker to insert a hidden implementation in an uninitialized storage slot, later switching control to it and upgrading the contract to a malicious version with minting capabilities. This enabled the attacker to mint 110,000 unauthorized tokens, draining $1.55 million from Uniswap and Morpho liquidity pools and causing the $K token’s market cap to plummet over 95%.
Just Bad Luck - Rekt (Jul 15)
Post-Mortem — $K Proxy Hack & Our Path Forward - Medium (Jul 15)
PC Aversaccio - "It gets even more fancy: the way Etherscan was tricked showing the wrong implementation contract is based on setting 2 different proxy slots in the same frontrunning tx. So Etherscan uses a certain heuristic that incorporates different storage slots to retrieve the implementation contract." - Twitter/X (Jul 15)
Kinto XYZ - "We can confirm that an exploit has happened OFF the Kinto network impacting the $K token deployment in Arbitrum." - Twitter/X (Jul 15)
Kinto Twitter/X Account (Jul 15)
Kinto Homepage (Jul 15)
