Kinto Token Tanks 90% as Backdoor Disclosure Lets Attacker Mint 110,000 Tokens and Drain Liquidity Pools

The native token of Kinto, a compliance-focused Layer 2 network, crashed 90% on July 10 in under an hour after an attacker exploited its token minting mechanism and drained assets.

According to a July 11 X thread by Kinto co-founder Ramon Recuero, the incident appears to be tied to a broader vulnerability affecting thousands of contracts across DeFi built using the ERC1967Proxy standard, a common OpenZeppelin codebase that allows smart contracts to be upgraded without changing their address.

The vulnerability — first uncovered by blockchain security firm Venn Build alongside researchers from Dedaub, SEAL 911, and on-chain analyst pcaversaccio — revealed that thousands of contracts using the ERC1967Proxy standard were exposed to a novel exploit that let attackers insert malicious proxy admins while deceiving block explorers like Etherscan.

While the full list of affected projects remains unclear, Recuero noted that at least one — Berachain, a Layer 1 blockchain that had raised $100 million — was also exposed to the vulnerability but managed to prevent an attack in time.

Although a 36-hour “war room” effort helped secure many protocols before the vulnerability was widely exploited, Recuero said Kinto was not notified in time — even after other teams had been alerted — suggesting that the public disclosure of the vulnerability may have unintentionally triggered the attack on Kinto.

Recuero reiterated to The Defiant that the “Kinto network, assets and wallet are not affected and they are extremely safe,” adding that the Kinto smart contracts themselves were not breached. “This was a vulnerability in proxy contract ERC 1967 made worse by a bug in block explorers like Etherscan or Arbiscan,” he added.

Source: Arbiscan

By leveraging the backdoor, the attacker minted 110,000 K tokens and later used them to drain the Morpho Vault and a Uniswap v4 pool. Additional tokens were minted on demand, with funds bridged and swapped across protocols in what Recuero described as a “straightforward” attack.

“I know this is a really hard time for all of you. I am really sorry this has happened. No matter the circumstances, it is all my fault and I take responsibility. Me and the team will do anything in our power to come back from this,” Recuero wrote.

‘All Signs Point to Lazarus’

Amid the attack, Kinto’s native token K collapsed by 90% in under an hour, crashing from $7.69 to just $0.50 and wiping out nearly $13 million in market value in a matter of minutes, per data from CoinGecko.

Kinto Chart

Per Recuero, the team is working with authorities in the Cayman Islands and security groups, including ZeroShadow and Venn Build, to track the attacker. Speaking with The Defiant, Recuero said that “all signs point to Lazarus,” a North Korean state-sponsored hacking group that was also responsible for the $1.5 billion Bybit hack earlier this year.

If recovery efforts are successful, Kinto plans to roll back token balances to a snapshot block taken before the exploit, restore the Morpho vault and Uniswap liquidity, as well as relist K on centralized exchanges at the pre-hack price of $7.48 by July 31.

Recuero emphasized that the core Kinto network — including the wallet, bridge, and UI — remains unaffected. Following the hack, critics on social media panned Kinto’s reliance on the OpenZeppelin ERC1967Proxy pattern without fully auditing it for all possible vulnerabilities.

A user under the alias @SemiDeFi argued that the “sloppy proxy setup” left the door open to exploitation, effectively holding Kinto responsible for the breach.

In response, Recuero told The Defiant that “the vulnerable proxy contracts were audited by 30 different auditors, part of the OpenZeppelin foundational contract library and had been used for 10 years until now.”

Founded in 2023 by Ramon Recuero, Víctor Sánchez, and Alan Keegan, Kinto is a compliance‑focused Layer 2 network built on Ethereum’s Arbitrum Nitro stack, featuring native KYC/AML enforcement.

Kinto TVS

According to data from L2Beat, Kinto held over $80 million in total secured value as of December 2024, but that figure has since declined, dropping to $16 million as of July 10.

In February 2025, Brevan Howard Digital’s Abu Dhabi arm deployed $20 million in assets on Kinto to participate in its institutional-grade DeFi ecosystem.

Source