Kinto Releases Post-Mortem Report on K Attack Incident, Plans to Migrate Contracts and Restore User Assets

Foresight News reports that Kinto founder Ramon Recuero has released a detailed post-mortem report regarding the K token hack. The attack originated from a hidden backdoor vulnerability in the ERC-1967 Proxy standard, which allowed the attacker to bypass block explorer detection, upgrade the K proxy contract on Arbitrum, and mint unlimited tokens. The attacker then extracted approximately $1.55 million in liquidity from Uniswap V4 and Morpho Blue.

Kinto stated that the vulnerability exists in the widely used OpenZeppelin Proxy template and was not code written by the Kinto team. The Kinto L2 network, wallet SDK, and abstraction infrastructure were not affected, and users’ other assets on Kinto were not impacted. The project team will implement the following remediation measures:

Deploy a new K contract: Launch a reinforced new contract on Arbitrum; Asset recovery: Take a snapshot of on-chain and certain exchange addresses at the pre-attack block (356170028) to restore all token balances; Liquidity restart: Conduct a small-scale fundraising round to inject new liquidity into the Uniswap pool and restore exchange trading at pre-attack prices; Morpho compensation plan: Grant borrowers a 90-day repayment period, with the team covering the remaining shortfall; Speculator compensation mechanism: Provide a proportional distribution window of new K tokens as compensation to users who purchased after the attack but before the announcement.

Currently, Kinto has frozen trading on the affected exchange and closed the remaining liquidity, while collaborating with security teams such as ZeroShadow and Venn to track the attacker. The project team is calling on the community to support the rebuilding plan and raise funds to restore the market and compensate victims.