On 10 July, DeFi protocol Kinto was hit by a major exploit that saw attackers mint 110,000 $K tokens and drain $1.55 million from Uniswap and Morpho liquidity pools. The value of the $K token collapsed by over 90 percent in less than 24 hours.
The vulnerability came from a flaw in an ERC-1967 proxy contract, a widely used but risky pattern in smart contract architecture. Kinto’s team insists the issue was not with their own contracts, but with outdated third-party code from OpenZeppelin. They described the exploit as highly sophisticated and even suggested it may have been carried out by a state actor, a claim that has raised eyebrows across the crypto community.
Kinto had presented itself as a regulated and secure gateway for institutions entering DeFi. Its founder, Ramon Recuero, previously led Babylon Finance, another project that faced a major crisis in 2022. In that case, Recuero reimbursed affected users out of his own resources, earning praise despite the platform’s collapse.
This time, Kinto’s recovery plan involves setting up a new token and raising fresh capital from investors and partners. There is no promise of direct reimbursement from the team’s own treasury. While legitimate users may eventually be compensated, this depends on how much funding the recovery fund can attract.
What has added to the controversy is the precise nature of the attack. The hacker minted exactly 110,000 tokens and struck just 12 hours after the vulnerability was disclosed, leading some to question whether this was a case of insider knowledge rather than opportunistic hacking.
Kinto now plans to relaunch with a new token, updated contracts, and promises of improved transparency. Whether that will be enough to restore trust remains uncertain.
For readers who want to understand the full technical breakdown of the exploit, the timeline of events, and the ongoing questions around Kinto’s leadership and recovery strategy, click here to read the full analysis – “Just Bad Luck” – on rekt.
Speculatour 