Odaily Planet Daily reports that Squid posted on X that this incident is unrelated to Squid’s core protocol or contracts; all Squid users and integrated parties remain unaffected and no action is required.
Today, a third-party Gnosis Safe module on the Base and Ethereum networks was compromised, resulting in losses of approximately $3.2 million. The vulnerable contract, verified on Basescan under the name "SquidRouterModule," was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate Squid and other protocols, and has no affiliation with Squid.
The attack exploits a third-party module that accepts a constant string provided by the caller as a security proof; this string is publicly visible in the verified contract code. Once an attacker inputs this string, they can execute arbitrary calldata arrays to steal funds at will. The victim’s Safe wallet added this vulnerable contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid’s own routing contract (0xce16...D666) has a different architecture and is unaffected; Squid users’ funds, authorizations, and integrations remain completely secure.
Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate statement is: the third-party SquidRouterModule was compromised, not Squid’s Router contract. Although the contract name is identical to Squid’s, it is not part of Squid’s code. Squid is continuously monitoring the situation and will update information if there are any significant developments.