- Kinto’s $K token plunged 99% after an exploit of the Arbitrum token contract.
- An attacker minted 7 million tokens and drained USDC via the Morpho lending platform.
- Kinto says user funds are safe and a full investigation is underway.
Kinto Network suffered a severe blow after a smart contract exploit tied to an Arbitrum deployment, which caused the K token’s value to collapse.
In just 24 hours, the price of the $K token fell by more than 99%, shocking investors and triggering widespread uncertainty across the decentralized finance (DeFi) sector.
The breach originated from a minting contract on Arbitrum—not from Kinto’s mainnet—and allowed unauthorized creation of millions of tokens, ultimately undermining confidence in the project’s tokenomics.
The exploit originated from an Arbitrum token contract
Kinto confirmed the exploit occurred off-chain on the Arbitrum version of the K token’s minting contract, which lacked sufficient protections against unauthorized minting.
Although Kinto’s mainnet, user wallets, and bridge vaults remained unaffected, the attacker minted nearly 7 million K tokens—more than three times the previously circulating supply of under 2 million tokens.
Early on-chain analysis indicates the malicious actor did not immediately dump the tokens on public exchanges. Instead, they employed a slow strategy to manipulate market perception and inflate the token’s apparent value.
This gradual approach allowed the attacker to leverage the artificially boosted token valuation as collateral on Morpho, a DeFi lending protocol, depositing the newly minted tokens as security.
Soon after, the attacker borrowed substantial amounts of USDC and withdrew the funds, leaving the protocol and the wider market exposed to significant losses.
Morpho left holding largely worthless tokens
One of the most damaging aftereffects of the exploit was the unintended harm to Morpho, where the attacker had deposited the inflated $K tokens as collateral.
With the token’s value now decimated, Morpho is left holding tokens that are effectively worthless, raising concerns about how the platform will manage the resulting bad debt and mitigate the financial impact.
The incident highlights the systemic risk associated with DeFi platforms that rely heavily on collateral whose value can be manipulated.
Kinto has not disclosed the exact amount of USDC withdrawn from Morpho, but recovery efforts are reportedly underway.
The rapid K price crash sparked panic
Within an hour of the exploit on Thursday, K token’s value collapsed by 45%, triggering a wave of selling that erased more than 99% of the token’s value by Friday.
The token, which reached an all-time high of $11.89 in late March 2025, hit a new low of $0.4854 according to CoinMarketCap data.
At the time of writing the token trades at $0.7053, down over 99.15% from its peak three months earlier, with a market capitalization near $1.29 million.
Trading volume surged to more than $2.72 million over 24 hours as investors rushed to exit positions, accelerating the collapse.
Kinto has engaged third parties to investigate the exploit
Following the exploit, Kinto quickly issued a public statement assuring users that mainnet funds and bridge vaults were not affected.
The team acknowledged the severity of the incident and has engaged third-party security firms, including Hypernative, Seal 911, Venn, and Zeroshadow, to investigate the exploit and assist with recovery efforts.
Kinto community. We are looking into the situation ourselves and with third parties (Hypernative, Seal 911) – as soon as we have a clear picture of what has happened we will make an announcement.
— Kinto (@KintoXYZ) July 10, 2025
Kinto has pledged full transparency and says it will publish a comprehensive report once the investigation concludes.
Despite these assurances, market confidence remains shaken. Users on social media criticized the project’s contract design and the apparent lack of rigorous security audits.
Some community members expressed frustration at what they see as a recurring pattern of under-vetted DeFi projects that leave retail investors exposed.
Kinto has stated that no insiders sold tokens during the crash and that scheduled token unlocks remain planned for April 2026, but speculation continues about whether the exploit could have been prevented.
The project’s future now depends on its ability to regain trust, patch security vulnerabilities, and recover lost value.
Until then, the $K token is likely to remain volatile as traders assess the risk of remaining in a project shaken to its core by a destructive exploit.