Kinto plummets 90%, is it a vulnerability attack or a conspiracy to crash the market?

Author: 1912212.eth, Foresight News

The bull market in the cryptocurrency market has quietly arrived, yet sudden short-term crashes of project protocol tokens are still common. On July 10, against the backdrop of an overall positive trend in the cryptocurrency market, the native token K of the Kinto project experienced a severe crash, plummeting from around $8 to about $0.7, a drop of over 90%, with its market value evaporating to less than two million dollars.

This incident quickly caused a stir on social media and in the crypto community, with investors accusing the project team of a "rug pull."

K Token Plummets Over 80% in 2 Hours

Kinto is an Ethereum-based Layer 2 solution focused on the development of smart wallets and DeFi infrastructure. Its token K officially launched for trading at the end of March 2025, briefly rising to around $7, being regarded as a potential stock in the Arbitrum ecosystem. However, everything took a sharp turn on July 10. Around 4 PM Beijing time, the price of K began to fluctuate abnormally, initially dropping slightly, followed by a crash of over 80% within just 2 hours. Trading data showed a sudden influx of a large number of K tokens into the liquidity pool, leading to a surge in supply and a subsequent panic sell-off in the market.

A user on social platform X, @waleswoosh, posted: "Someone minted fake K tokens and sold them all, causing Kinto's market value to drop from $80 million to $7 million, truly an incredible technical error."

In response to market skepticism, Kinto's official team quickly responded and confirmed that a vulnerability had been discovered outside the Kinto network.

Notably, just on June 30, the Kinto project had completed a round of early investor token unlocks, involving about 2.25 million K tokens worth approximately $15 million. This led some community members to suspect that the crash was related to internal selling rather than a mere technical vulnerability.

Kinto CEO Announces Investigation Results to Address Concerns

Kinto's official team announced a follow-up action plan, including:

• Raising funds to recover the $1.4 million loss in Uniswap liquidity and Morpho vault balance;
• Taking a snapshot of K balances before the hack;
• Creating a new K token on Arbitrum using these balances;

Kinto's statement emphasized that the vulnerability did not occur in the Kinto core network but rather in peripheral contracts on the Arbitrum chain, and was not intentional by the project team. The team stated that they had suspended the relevant contract functions and initiated an emergency audit. They also denied the community's rug pull accusations, pointing out that the team tokens are locked until April 2026 and cannot be sold prematurely.

Kinto CEO Ramon Recuero added in a follow-up post: "This was an accidental technical error, and our team is working hard to fix it and will compensate affected users." He outlined the sequence of events.

The hacker minted K tokens in unlimited quantities on the Arbitrum network and stole $1.55 million worth of ETH and USDC from Uniswap and Morpho platforms (which also caused a loss in K token price). Previously, a serious backdoor was found in thousands of contracts using ERC1967Proxy (a commonly used standard provided by OpenZeppelin, abbreviated as OZ). The hacker was able to exploit vulnerabilities in blockchain explorers (such as Etherscan, Arbiscan, etc.) to implant a hacker proxy unnoticed. Ramon Recuero stated that many teams received notifications and patched the vulnerabilities, but Kinto did not receive any notice, allowing the hacker to quickly take control of its tokens on Arb and attack using the proxy before the patch was released. At 4:34 PM Beijing time, the hacker minted 110,000 K tokens and began the attack to drain the Morpho Vault and Uniswap v4 pool.

Ramon expressed apologies to the community and finally stated that they would raise funds from partners and existing investors to restore the token balance to the state before the hacker attack or block 356168891.

He mentioned that if successful through the above means, they would complete the following by July 31:

• Restore all K token balances to the snapshot state before the hacker attack.
• Restore the Morpho funding pool to its state before the hacker attack, including the Royco-related portion.
• Restore liquidity on Uniswap.
• Restart trading on centralized exchanges (CEXs) at the same price of $7.48.

However, this response did not completely quell community dissatisfaction. Opinions suggesting that the project team was dumping tokens were rampant on social media, with many investors sharing screenshots of their holdings, lamenting significant losses.

This vulnerability incident is not an isolated case. The cryptocurrency market has seen multiple similar contract vulnerability incidents. According to TheBlock, the crypto industry lost $92.5 million due to DeFi vulnerabilities just in April this year, a year-on-year increase of 27.3%. Among them, the UPCX and KiloEx incidents had the largest losses, amounting to $70 million and $7.5 million, respectively.

Analysts from blockchain security company PeckShield stated: "The vulnerability in Kinto may have been caused by a reentrancy attack due to the minting function not being locked. Such issues are common in contracts that have not undergone multiple rounds of audits." They advised investors to prioritize checking audit reports and token unlock schedules when participating in new projects.

The Kinto case once again highlights the security challenges blockchain projects face when deploying Layer 2 solutions.

Summary

The Kinto token crash incident is a microcosm of the cryptocurrency market in 2025: innovation coexists with risk. Yesterday's crash and today's official announcement not only test the project team's crisis response capabilities but also remind investors to act cautiously. In the coming days, Kinto's audit report and compensation plan will be the focus. If handled properly, this may just be a temporary low; otherwise, it could severely damage its reputation. In this fast-paced market, DYOR (Do Your Own Research) remains an eternal mantra.