Summary Value Secured Activity Onchain costs Milestones & Incidents Risk summary Risk analysis Rollup stage Data availability State validation Operator Sequencing Withdrawals Other considerations Upgrades & Governance Permissions Smart contracts

Kinto

Badges

About

Kinto is an Orbit stack L2 with account abstraction and KYC enabled for all users, supporting both modern financial institutions and decentralized protocols.

Value securedTVS

$34.65 M2.05%

Canonically BridgedCanonical

$326.54 K

Natively MintedNative

$6.40 M

Externally BridgedExternal

$27.91 M

View TVS Breakdown

Tokens

Past day UOPS

0.010.00%

30D ops count

62.48 K

Gas token

ETH

Stage

Type

Optimistic Rollup

Purpose

KYC-ed DeFi

Sequencer failureState validationData availabilityExit windowProposer failure

Badges

About

Kinto is an Orbit stack L2 with account abstraction and KYC enabled for all users, supporting both modern financial institutions and decentralized protocols.

Kinto

Milestones & Incidents

Upgrades & Governance

Permissions

Smart contracts

Stages changes

93d

13h

53m

09s

The project will be downgraded to

Stage 0

because it does not satisfy an upcoming Stage 1 principle.

The project will move to Stage 0 because:

Compromising ≥75% of the Security Council should be the only way (other than bugs) for a rollup to indefinitely block an L2→L1 message (e.g. a withdrawal) or push an invalid L2→L1 message (e.g. an invalid withdrawal).

Learn more about the new requirements

Value Secured

2024 Apr 26 — 2025 Apr 26

View TVS breakdown

Total value securedTotal

$34.65 M2.05%

Canonically BridgedCanonically Bridged ValueCanonical

$326.54 K13.1%

Natively MintedNatively Minted TokensNative

$6.40 M12.1%

Externally BridgedExternally Bridged ValueExternal

$27.91 M0.13%

View TVS breakdown

Activity

Onchain costs

The section shows the operating costs that L2s pay to Ethereum.

2024 Apr 26 — 2025 Apr 25

Show data posted

1 year total cost

$23.25 K

Avg cost per L2 UOP

$0.032506

1 year data posted

247.63 MiB

Avg size per L2 UOP

410.49 B

Milestones & Incidents

Appchain Stage 1

2025 Mar 27th

Users can exit the L2 in case of unwanted upgrades by actors other than the Security Council.

Learn more

Security Council Governance

2024 Nov 3rd

Kinto gives the ownership of all L1 system contracts to a Security Council that is properly set up.

Learn more

Risk summary

Fraud proof system is fully deployed but is not yet permissionless as it requires Validators to be whitelisted.

Fraud proof system is fully deployed but is not yet permissionless as it requires Validators to be whitelisted.

Sequencer failureState validationData availabilityExit windowProposer failure

Sequencer failure

Self sequence

In the event of a sequencer failure, users can force transactions to be included in the project’s chain by sending them to L1. There can be up to a 1d delay on this operation.

State validation

Fraud proofs (INT)

Fraud proofs allow 5 WHITELISTED actors watching the chain to prove that the state is incorrect. At least 5 Challengers are external to the Operator. Interactive proofs (INT) require multiple transactions over time to resolve. There is a 6d 8h challenge period.

Data availability

Onchain

All of the data needed for proof construction is published on Ethereum L1.

Exit window

None

There is no exit window for users to exit in case of unwanted regular upgrades of the L1 as they are initiated by the Security Council with instant upgrade power and without proper notice. Upgrades initiated by actors other than the Security Council (e.g. KYC providers) on Layer 2 guarantee at least a 7d exit window to the user.

Proposer failure

Self propose

Anyone can become a Proposer after 12d 17h of inactivity from the currently whitelisted Proposers.

Rollup stage

Kinto is a

Stage 1

Appchain

Optimistic Rollup.

In scope

Ability to deposit, spend, and withdraw the gas token (ETH)

Derivation logic spec

Upgradability of standard Orbit stack L1 and L2 core contracts

Upgradability of Kinto-specific L2 contracts: KintoAppRegistry, KintoWalletFactory, KintoID, AccessManager, KintoWallet, EntryPoint

Signer policies and recovery process for the KintoWallet

Forced transaction mechanism via L1 through the EntryPoint and the KintoWallet

Not in scope

Non-gas tokens

Source code to program hash mapping

Upgradability of other whitelisted L2 contracts, including Socket bridge infrastructure

Crosschain DeFi applications

Rollup operators cannot compromise the system, but being application-specific might bring additional risk.

Kinto enforces the use of smart wallets and KYC. A valid state transition in Kinto disallows all transactions by EOAs and new contracts creation, unless specifically whitelisted. This setup effectively enforces smart wallet use because the auxiliary contracts of the standard KintoWallet smart wallet (like the EntryPoint and the KintoWalletFactory) are whitelisted. The KYC validation is part of the KintoWallet signature verification. Since all users must use the same implementation of this smart wallet, all user transactions on Kinto check for an up-to-date KYC flag, and are dropped in case the check fails. The system ensures that KYC can be revoked only if the Security Council proactively agrees to a proposed status change by a KYC provider. The Security Council has been historically following KYC provider decisions and it is explicitly tasked to do so. The KintoWallet implementation supports different signer thresholds with a maximum of 4 signers. The first signer for each users smart wallet though is enforced to be held by Turnkey in a TEE. Users can make transactions using this first signer only through Kinto's frontend. Authenticated by a passkey, the Turnkey TEE then signs the transaction for them and submits it to the L2. The user can still choose to not trust Turnkey by adding 2 EOA signers to their wallet and setting their signer policy to 2/3 during wallet creation. Contracts outside of the ones necessary to interact with the smart wallet and to withdraw the gas token are out of scope for the stage assessment and might present additional risks.

Note:

We're still in the process of formalizing how to properly integrate appchains in the Stages framework.

New requirements coming soon

93d

13h

53m

09s

The project will be downgraded to

Stage 0

because it does not satisfy an upcoming Stage 1 principle.

Learn more about the new requirements

Learn more about Rollup stages

Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.

Data availability

All data required for proofs is published on chain

All the data that is used to construct the system state is published on chain in the form of cheap blobs or calldata. This ensures that it will be available for enough time.

Learn more about the DA layer here:

Ethereum

State validation

Updates to the system state can be proposed and challenged by a set of whitelisted validators. If a state root passes the challenge period, it is optimistically considered correct and made actionable for withdrawals.

State root proposals

Whitelisted validators propose state roots as children of a previous state root. A state root can have multiple conflicting children. This structure forms a graph, and therefore, in the contracts, state roots are referred to as nodes. Each proposal requires a stake, currently set to 0.1 ETH, that can be slashed if the proposal is proven incorrect via a fraud proof. Stakes can be moved from one node to one of its children, either by calling stakeOnExistingNode or stakeOnNewNode. New nodes cannot be created faster than the minimum assertion period by the same validator, currently set to 15m. The oldest unconfirmed node can be confirmed if the challenge period has passed and there are no siblings, and rejected if the parent is not a confirmed node or if the challenge period has passed and no one is staked on it.

Funds can be stolen if none of the whitelisted verifiers checks the published state. Fraud proofs assume at least one honest and able validator (CRITICAL).

How is fraud proven - Arbitrum documentation FAQ

Challenges

A challenge can be started between two siblings, i.e. two different state roots that share the same parent, by calling the startChallenge function. Validators cannot be in more than one challenge at the same time, meaning that the protocol operates with partial concurrency. Since each challenge lasts 6d 8h, this implies that the protocol can be subject to delay attacks, where a malicious actor can delay withdrawals as long as they are willing to pay the cost of losing their stakes. If the protocol is delayed attacked, the new stake requirement increases exponentially for each challenge period of delay. Challenges are played via a bisection game, where asserter and challenger play together to find the first instruction of disagreement. Such instruction is then executed onchain in the WASM OneStepProver contract to determine the winner, who then gets half of the stake of the loser. As said before, a state root is rejected only when no one left is staked on it. The protocol does not enforces valid bisections, meaning that actors can propose correct initial claim and then provide incorrect midpoints.

Fraud Proof Wars: Arbitrum Classic

Operator

The system has a centralized sequencer

While forcing transaction is open to anyone the system employs a privileged sequencer that has priority for submitting transaction batches and ordering transactions.

MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

Sequencer - Arbitrum documentation

Users can force any transaction

Because the state of the system is based on transactions submitted on the underlying host chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract on the host chain directly. After a delay of 1d in which a Sequencer has failed to include a transaction that was directly posted to the smart contract, it can be forcefully included by anyone on the host chain, which finalizes its ordering.

Sequencing

Delayed forced transactions

To force transactions from the host chain, users must first enqueue “delayed” messages in the “delayed” inbox of the Bridge contract. Only authorized Inboxes are allowed to enqueue delayed messages, and the so-called Inbox contract is the one used as the entry point by calling the sendMessage or sendMessageFromOrigin functions. If the centralized sequencer doesn’t process the request within some time bound, users can call the forceInclusion function on the SequencerInbox contract to include the message in the canonical chain. The time bound is hardcoded to be 1d.

Withdrawals

Regular messaging

The user initiates L2->L1 messages by submitting a regular transaction on this chain. When the block containing that transaction is settled, the message becomes available for processing on L1. The process of block finalization usually takes several days to complete.

Autonomous exit

Users can (eventually) exit the system by pushing the transaction on L1 and providing the corresponding state root. The only way to prevent such withdrawal is via an upgrade.

Other considerations

Enforced smart wallets and KYC

The Kinto L2 node is a fork of Arbitrum’s geth implementation with notable changes to the state transition function. A valid state transition in Kinto disallows all transactions by EOAs and new contract creation, unless specifically whitelisted. The current whitelist is sourced directly from the KintoAppRegistry smart contract on Kinto L2, and can be modified by the L2 governance. This setup effectively enforces smart wallet use because the auxiliary contracts of the standard KintoWallet smart wallet (like the EntryPoint and the KintoWalletFactory) are whitelisted. The KYC validation is part of the KintoWallet signature verification. Since all users must use the same implementation of this smart wallet, all user transactions on Kinto check for an up-to-date KYC flag, and are dropped in case the check fails.

Users can be censored if a KYC provider changes the users' KYC status and the Security Council confirms it.
Funds can be lost if the user interacts with a compromised whitelisted contract.

User Owned KYC - Kinto documentation

Upgrades & Governance

A diagram of the upgrades and governance

All critical system smart contracts are upgradeable (can be arbitrarily changed). This permission is held by the 6/8 Kinto Security Council on Layer 1 and can be executed without any delay. On the Kinto Layer 2, critical permissions are mostly guarded by an AccessManager contract, and then passed down with configurable delays to both the Security Council and the 2/4 Kinto Multisig 2.

The Appchain designation of Kinto is mainly due to a modified L2 node, which queries a special censoring contract on L2 (called KintoAppRegistry) for a whitelist to filter transactions. This makes the KintoAppRegistry contract a critical system contract and any change to its configuration equivalent to an upgrade of the Layer 2 system. The KintoAppRegistry contract is also governed via the AccessManager by the Security Council or the Kinto Multisig 2 with a 11d delay.

Another critical contract on the Appchain is called KintoID. Permissioned actors with the ‘KYC provider’ role in the KintoID contract can ‘sanction’ (freeze) user smart wallets, preventing them from transacting. To protect users from this role which is mostly held by EOAs, a sanction expires if not confirmed by the Security Council within 3d. An expired sanction guarantees the user a 9d cooldown window during which they cannot be sanctioned again.

The canonical (enforced) smartwallet for users on Kinto can be upgraded via the KintoWalletFactory, using the same path via the AccessManager. Additionally, each smart wallet must use a recoverer address custodied by Turnkey. This allows users to reset the wallet signers via their email in case they lose their passkey. It also necessitates a recovery delay to prevent turnkey from maliciously using their recoverer permission. During this period of 12d, the user can cancel the recovery process with any transaction in their smart wallet.

The permissioned sanctions logic by KYC providers necessitates at least an 11d delay on all upgrades that aren’t executed by the Security Council, allowing the user at least 7d to exit.

Permissions

Ethereum

Roles:

Sequencer 0xe27f…6a39

Can submit transaction batches or commitments to the SequencerInbox contract on the host chain.

Validator (5) Ankr Hypernative2 Caldera2 MamoriLabs3 Venn2

Can propose new state roots (called nodes) and challenge state roots on the host chain.

Actors:

Kinto Security Council 0x17Eb…3B7d

A Multisig with 6/8 threshold.
Can act on behalf of UpgradeExecutor.
Is allowed to interact with RollupProxy - Pause and unpause and set important roles and parameters in the system contracts: Can delegate Sequencer management to a BatchPosterManager address, manage data availability, DACs and the fastConfirmer role, set the Sequencer-only window, introduce an allowList to the bridge and whitelist Inboxes/Outboxes - acting via UpgradeExecutor.
Can upgrade the implementation of RollupProxy - acting via UpgradeExecutor.
Can upgrade the implementation of RollupEventInbox, UpgradeExecutor, ChallengeManager, Outbox, ERC20Gateway, Bridge, Inbox, GatewayRouter, SequencerInbox - acting via ProxyAdmin, UpgradeExecutor.

Participants (8):

Turnkey Multisig Certora Venn/Ironblocks Hypernative KintoFoundation MamoriLabs Caldera KintsugiFoundation

Security Council members - Kinto Docs

Kinto Multisig 0xf152…5D82

A Multisig with 3/5 threshold.
Can upgrade the implementation of Bridger.

Participants (5):

0x5D97…Ae2e KintoFoundation MamoriLabs KintsugiFoundation 0xc31C…61eC

Used in:

Turnkey Multisig 0xD98B…40e1

A Multisig with 1/5 threshold.
Member of Kinto Security Council.

Participants (5):

0xCb5B…0CBd 0xDcbb…bA69 0x4a3B…636A 0xad40…598b 0x8A57…afFd

Kinto

Actors:

AccessManager 0xacC0…4739

Standard OpenZeppelin AccessManager contract: Serves as a proxy contract defining the roles, permissions and delays to call functions in target contracts.
Is allowed to interact with KintoAppRegistry - manage addresses that are callable by EOAs and other white-/blacklists that are enforced globally on the Kinto L2.
Is allowed to interact with KintoWalletFactory - update the central KintoWallet implementation of all users on Kinto L2 and approve specific wallets for recovery via the turnkey recoverer.
Is allowed to interact with KintoID - manage the KYC status of any user (sanction status and KYC metadata) and mint/burn KintoID NFTs.
Is allowed to interact with KintoID - permissioned to call confirmSanction(), which makes a temporary sanction by a KYC_PROVIDER permanent and does not grant an exit window to the affected wallet.
Is allowed to interact with KintoID - transfer KYC NFTs to a different address.
Can upgrade the implementation of KintoAppRegistry, KintoWalletFactory, KintoID.

Kinto Multisig 2 0x2e2B…337a

A Multisig with 2/4 threshold.
Is allowed to interact with NioGuardians - mint Nio Guardian NFTs to any address, inheriting the permissions of the NFT.
Is allowed to interact with AccessManager - change the configuration of all AccessManager permissions (minimum delay shown, the total delay can be longer for some operations) with 12d delay.
Is allowed to interact with AccessManager - approve smart wallet recoveries for any KintoWallet.
Is allowed to interact with KintoID - manage the KYC status of any user (sanction status and KYC metadata) and mint/burn KintoID NFTs.
Can upgrade the implementation of Faucet, SponsorPaymaster.

Participants (4):

0x660a…6e6c MamoriLabs KintoFoundation KintsugiFoundation

KintoWalletFactory 0x8a47…5D75

Deploys new KintoWallet smartwallets for users upon passing KYC checks. Also manages the beacon implementation for all KintoWallets and their recovery logic. KintoWallets can be funded with ETH via this contract.
Is allowed to interact with BeaconKintoWallet - change the beacon implementation.
Can upgrade the implementation of Kinto Multisig 2.

KintoSecurityCouncil_L2Alias 0x28fC…4c8e

Is allowed to interact with AccessManager - change the configuration of all AccessManager permissions (minimum delay shown, the total delay can be longer for some operations) with 7d delay.
Is allowed to interact with AccessManager - manage the whitelisted addresses in the KintoAppRegistry which affects censorship on the entire rollup with 11d delay.
Is allowed to interact with AccessManager - upgrade the implementation of the core contracts KintoID, KintoAppRegistry and KintoWalletFactory with 11d delay.
Is allowed to interact with AccessManager - confirm sanctions, making them permanent without providing an exit window.

EOA 1 0x52F0…5477