According to Foresight News, Kinto founder Ramon Recuero released a detailed post-mortem report on the K token hack. The attack exploited a hidden backdoor vulnerability in the ERC-1967 Proxy standard, allowing the attacker to bypass block explorer detection, upgrade the K proxy contract on Arbitrum, and mint unlimited tokens, subsequently extracting approximately $1.55 million in liquidity from Uniswap V4 and Morpho Blue.
Kinto stated that the vulnerability existed in the widely used OpenZeppelin Proxy template, which was not written by the Kinto team. The Kinto L2 network, wallet SDK, and abstract infrastructure were not affected, and users' other assets on Kinto remained unharmed. The project will implement the following remedial measures:
Deploy a new K contract: Launch an enhanced contract on Arbitrum; Asset recovery: Take a snapshot of on-chain and CEX addresses before the attack block (356170028) to restore all token balances; Restart liquidity: Conduct a small-scale financing to inject new liquidity into the Uniswap pool and restore CEX trading at pre-attack prices; Morpho compensation plan: Provide borrowers with a 90-day repayment period, with the team covering the remaining gap; Speculator compensation mechanism: Offer a proportional distribution of new K tokens to users who purchased before the post-attack announcement.
Kinto has currently frozen CEX trading and closed remaining liquidity, while collaborating with security teams like ZeroShadow and Venn to track the attacker. The project calls on the community to support the rebuilding plan and raise funds for market recovery and victim compensation.
