Squid: Security Incident Unrelated to Squid's Core Protocol and Contracts; All Squid Users and Integrators Unaffected

Odaily Odaily reported that Squid stated on X platform that this incident is unrelated to Squid's core protocol and contracts. All Squid users and integrators are unaffected and no action is required.

Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate Squid and other protocols, and has no connection to Squid.

The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. An attacker could input this string to execute an arbitrary calldata array, thereby stealing funds at will. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and is unaffected. Squid user funds, approvals, and integrations remain completely secure.

Earlier public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares a name with Squid's but is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant developments.