Squid: The security incident is unrelated to Squid's core protocol and contracts. All Squid users and integrators are unaffected

Odaily Planet Daily News: Squid posted on platform X, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.

Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate Squid and other protocols, and has no connection to Squid.

The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. The attacker inputs this string to execute an arbitrary calldata array, thereby arbitrarily stealing funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing it to dispose of any tokens within the Safe without needing a signature. Squid's own router contract (0xce16...D666) has a different architecture and remains unaffected. Squid user funds, approvals, and integrations are completely secure.

Early public reports might have been misled by the contract verification name "SquidRouter" on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. The contract name is the same as Squid's, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are significant changes.