'We don't know who deployed this': Squid distances itself from $3.2 million third-party module exploit

A third-party Gnosis Safe module was exploited across Ethereum and Base, draining approximately $3.2 million from 86 Safes in roughly two hours, security firms Blockaid and PeckShield reported.

The vulnerable contract, verified on Basescan under the name "SquidRouterModule," was not built, deployed, or operated by the cross-chain protocol Squid.

"The contract called SquidRouterModule is unrelated to Squid. We don't know yet who wrote or deployed this," pseudonymous Squid co-founder Fig wrote on X. Its core router was architecturally separate and untouched, the project’s official X page added.

The exploit worked because the module accepted a caller-supplied constant string as proof that a message was secure.

Passing that string allowed an attacker to execute arbitrary calldata and spend any tokens held in the victim's Safes without signatures, according to Squid.