Svmuu news Squid posted on X platform, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.
Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate with Squid and other protocols, and has no connection with Squid.
The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. By inputting this string, the attacker could execute arbitrary calldata arrays and freely steal funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and was unaffected. Squid users' funds, authorizations, and integrations are completely safe.
Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares the name with Squid, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant changes.