Kinto Hack

On July 2025, Kinto—a chain-abstracted wallet and L2 protocol on Arbitrum—lost 577 ETH (~$2.4M) in a CPIMP proxy storage-slot exploit targeting its $K token contract, part of a broader industry-wide vulnerability class affecting billions (per Dedaub’s postmortem). The attacker upgraded the proxy implementation via a malicious initializer, draining funds from Morpho/Royco suppliers (2.86M reUSD covered initially); Kinto L2/wallets/chain remained secure. Amid fundraising failures post-hack, the team—operating unpaid since July—announced shutdown on Sep 7, 2025, consolidating ~$800k treasury to repay Phoenix lenders 76% principal, waiving $1M in debt. Founder donated $55k for up to $1.1k/address grants; victims offered CVRs for 100% recoveries (portal Oct 1), with excess to staked/unstaked $K holders via snapshot. Withdrawals open until Sep 30, then claimable as Mainnet USDC; ERA airdrop distributed Oct 15. Pursuing recoveries with ZeroShadow/ZachXBT, this exploit—flagged privately to some but not Kinto (per Venn)—exposes proxy risks in early deployments, urging virtual offsets, granular audits, and AML tracing to mitigate $2.4M losses amid 2025’s CP wave.