Kinto Releases Review of K Attack Incident, Plans to Migrate Contracts and Restore User Assets

Techub News reports that Ramon Recuero, founder of Kinto, a modular trading platform in the Arbitrum ecosystem, has released a detailed review of the K token hacking incident. The attack originated from a hidden backdoor vulnerability in the ERC-1967 Proxy standard, which allowed the attacker to bypass block explorer detection, upgrade the proxy contract of K on Arbitrum, and mint an unlimited number of tokens. Subsequently, approximately $1.55 million in liquidity was extracted from Uniswap V4 and Morpho Blue.

Kinto stated that the vulnerability exists in the widely used OpenZeppelin Proxy template and is not code written by the Kinto team. The Kinto L2 network, wallet SDK, and abstract infrastructure were not affected, and users' other assets on Kinto were also unaffected. The project team will take the following remedial measures, including deploying a new K contract: Launching a reinforced new contract on Arbitrum; Asset recovery: Snapshot of on-chain and CEX exchange addresses at the block prior to the attack (356170028) to restore all token balances; Restarting liquidity: Conducting small-scale financing to inject new liquidity into the Uniswap pool and restoring CEX trading to the pre-attack price; Morpho compensation plan: Providing borrowers with a 90-day repayment period, with the team covering the remaining gap; Speculator compensation mechanism: Offering a proportionally distributed new K compensation window for users who purchased before the announcement after the attack.