Squid Distances Itself From $3.2 Million Hack of Lookalike Third-Party Contract
Cross-chain router Squid distanced itself from a third-party Gnosis Safe module, SquidRouterModule, after attackers drained about $3.2 million throughout Ethereum and Base.
Blockchain safety companies flagged the exploit that affected 86 Gnosis Safe accounts in roughly 2 hours.
Squid Disowns $3.2 Million SquidRouterModule Exploit
Blockaid highlighted that the attacker swapped stolen tokens into Dai (DAI) through attacker-controlled Uniswap V3 swimming pools.
Separately, safety agency PeckShield mentioned the attacker was initially funded with 2.1 ETH from Tornado Cash. Moreover, the agency added that the exploiter’s pockets 0xA447…54859 contained the stolen belongings.
Follow us on X to get the newest information because it occurs
Squid moved quick on X to separate its protocol from the exploited contract. The crew mentioned the “contract shares our identify however will not be our code.” It additionally pressured that none of its customers have been affected.
“Early public reporting could reference ‘SquidRouter’ because of the contract’s verified identify on Basescan. The correct framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract,” the crew mentioned.
On Basescan, the compromised contract carries the identify “SquidRouterModule,” which sparked early confusion. Squid mentioned the crew had no function in writing the contract or pushing it on-chain. It described the module as a third-party smart-wallet product that built-in with a number of protocols, together with Squid.
Squid’s precise router sits at 0xce16F69375520ab01377ce7B88f5BA8C48F8D666 and runs on a distinct design. That contract was not affected by the assault, and current person balances, approvals, and platform integrations all stay secure.
“The exploit labored as a result of the third-party module accepted a caller-supplied fixed string as proof {that a} message was safe. If you go on this string (which is publicly obtainable within the verified contract’s code), then you may execute an array of arbitrary calldata, stealing funds at will. The victims’ Safes had added this defective contract as a trusted Safe Module, which provides the contract the power to spend any tokens within the Safe with out signatures,” the protocol defined.
The episode is one of a number of crypto exploits to hit protocols this month. DefiLlama tracked greater than 20 exploits in May 2026.
Subscribe to our YouTube channel to observe leaders and journalists present knowledgeable insights
The publish Squid Distances Itself From $3.2 Million Hack of Lookalike Third-Party Contract appeared first on BeInCrypto.