Kinto Token Hidden Off-Network Proxy Initialization Exploit
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Kinto, a modular DeFi platform bridging decentralized and traditional finance, suffered a major off-network exploit through a vulnerability in the proxy deployment of its $K token on Arbitrum. The flaw allowed an attacker to insert a hidden implementation in an uninitialized storage slot, later switching control to it and upgrading the contract to a malicious version with minting capabilities. This enabled the attacker to mint 110,000 unauthorized tokens, draining $1.55 million from Uniswap and Morpho liquidity pools and causing the $K token’s market cap to plummet over 95%.[1][2][3][4][5][6]
About Kinto
Kinto is a modular exchange and non-custodial wallet platform designed to bring together the strengths of decentralized finance (DeFi) and traditional finance. Its infrastructure prioritizes user security and ease of use, offering insured wallets and a network tailored to meet the high standards of both sectors. Kinto promotes itself as a bridge between these financial systems, creating a seamless experience where users can safely engage with diverse financial instruments, including those typically unavailable on other chains, such as U.S. equities.
One of Kinto’s defining features is its verified user base and wallet insurance, aiming to eliminate the risks of anonymity-driven scams that have historically impacted DeFi. This verification system not only enhances safety but also unlocks new financial opportunities by ensuring regulatory compliance. Developers benefit from native support for Know Your Customer (KYC) processes and investor accreditation within an OFAC-compliant ecosystem, removing long-standing barriers that have hindered integration between on-chain protocols and traditional finance.
Kinto positions itself as a neutral, decentralized foundation for the next generation of finance—one that is transparent, inclusive, and secure. It offers a unified environment for both individuals and institutions to participate confidently in the evolving financial landscape. By merging security, regulatory compliance, and decentralization, Kinto aims to redefine how financial services are built and accessed, ensuring that the benefits of future finance are available to all.
The Reality
A vulnerability existed where if this slot isn’t properly initialized during deployment, it becomes possible to write a second, hidden implementation in the same storage page at a different offset. While block explorers would show the expected, legitimate implementation, the hidden one remained invisible and dormant, waiting to be triggered.
What Happened
A critical vulnerability in a third-party proxy contract allowed an attacker to hijack the Arbitrum $K token, mint unlimited tokens, and drain over $1.5 million in liquidity.
| Date | Event | Description |
|---|---|---|
| July 9th, 2025 2:17:00 PM MDT | Attack Transaction Happens | First public disclosure of the proxy-slot back-door by @deeberiroz. |
| July 9th, 2025 2:17:00 PM MDT | First Public Vulnerability Disclosure | First public disclosure of the proxy-slot back-door by @deeberiroz. |
| July 10th, 2025 2:40:00 AM MDT | Untitled Event | |
| July 10th, 2025 2:40:00 AM MDT | Attack Transaction Happens | The attacker upgraded the Arbitrum $K token proxy, minted unlimited $K and drained all available liquidity from both Uniswap V4 and Kinto's Morpho Blue vault. |
| July 10th, 2025 5:33:00 AM MDT | Full Tweet By Kinto Team | The Kinto team posts a full tweet about the exploit and path forward. |
Technical Details
If an EIP-1967 initialation slot isn’t properly initialized during deployment, it becomes possible to write a second, hidden implementation in the same storage page at a different offset. While block explorers would show the expected, legitimate implementation, the hidden one remained invisible and dormant, waiting to be triggered.
At a chosen moment, the attacker switched the proxy’s pointer to this hidden implementation. Doing so granted them control over the contract, allowing them to upgrade it again—this time to a malicious version with minting functionality. This effectively gave the attacker unauthorized access and control, bypassing intended restrictions and enabling them to manipulate the token supply.
The $K token on Arbitrum was impacted because it used a common transparent-proxy ERC-20 pattern, which included the flawed initialization behavior. This pattern was based on OpenZeppelin libraries that are widely used and have been heavily audited, but the deployment still inherited the latent vulnerability. Crucially, no part of the exploit involved code written by the Kinto core team or running on Kinto’s Layer 2—only the proxy setup on Arbitrum was affected.
The exploit did not impact Kinto’s Layer 2 network, core infrastructure, wallets, or bridge.
Total Amount Lost
The exploit let attackers mint 110k tokens, draining $1.55 million from Uniswap and Morpho pools.
The total amount lost has been estimated at $1,550,000 USD.
Immediate Reactions
Kinto responded quickly to confirm that the exploit occurred entirely off its network, specifically targeting the $K token’s proxy deployment on Arbitrum. They reassured users that all funds bridged into the Kinto Layer 2 network remained secure, with no impact on user wallets, the bridge, or vaults. A full investigation was launched immediately, with support from security partners including Seal 911, Hypernative, Venn, and ZeroShadow. Kinto emphasized transparency and promised to publish more details as they became available.
Ultimate Outcome
The outcome of the incident was a loss of approximately $1.55 million in liquidity from Uniswap V4 and Morpho Blue due to a proxy exploit that allowed an attacker to mint unlimited $K tokens. The market cap of $K dropped by over 95%, and suppliers on Morpho were left exposed, with $3.2 million owed. In response, Kinto froze centralized exchange trading, withdrew remaining liquidity, and began collaborating with security experts and investigators to trace the attacker. Although Kinto’s core infrastructure remained untouched, the reputational and financial damage was significant. A recovery plan is underway, including a full token migration, balance restoration to pre-hack levels, and liquidity reboot using both internal funds and external support.
Total Amount Recovered
Kinto plans to recover by deploying a new, secure $K token contract on Arbitrum and restoring all balances to their state before the hack (block 356170028). Centralized exchange trading has been frozen, and remaining liquidity was withdrawn. The team will reopen trading at the pre-hack price after reseeding liquidity through a small recovery fund. Morpho lenders will be given a 90-day window to recover most of their funds, with any shortfall covered by team funds or newly issued assets. Additionally, wallets that bought $K after the hack but before the first public alert will receive pro-rata compensation in the new token.
The total amount recovered is unknown.
Ongoing Developments
The situation remains ongoing as Kinto continues its investigation with security partners to trace the attacker and recover funds. A new $K token is being prepared with balance restoration to the pre-hack state, alongside efforts to raise capital and reboot liquidity. Morpho users are in a 90-day remediation window, and plans are being finalized to compensate early post-hack buyers. Recovery actions, trading relaunch, and community restitution are all still in motion.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Just Bad Luck - Rekt (Accessed Jul 15, 2025)
- ↑ Post-Mortem — $K Proxy Hack & Our Path Forward - Medium (Accessed Jul 15, 2025)
- ↑ PC Aversaccio - "It gets even more fancy: the way Etherscan was tricked showing the wrong implementation contract is based on setting 2 different proxy slots in the same frontrunning tx. So Etherscan uses a certain heuristic that incorporates different storage slots to retrieve the implementation contract." - Twitter/X (Accessed Jul 15, 2025)
- ↑ Kinto XYZ - "We can confirm that an exploit has happened OFF the Kinto network impacting the $K token deployment in Arbitrum." - Twitter/X (Accessed Jul 15, 2025)
- ↑ Kinto Twitter/X Account (Accessed Jul 15, 2025)
- ↑ Kinto Homepage (Accessed Jul 15, 2025)