Cross-chain protocol Squid has moved quickly to distance its core infrastructure from a $3.2 million exploit that drained 86 Gnosis Safe wallets, emphasizing that the vulnerable contract was a third-party module entirely separate from its own router. The incident came to light after security firm Blockaid flagged an active attack on the "SquidRouterModule," a Gnosis Safe module deployed on both Ethereum and Base.
How the exploit unfolded
The attacker exploited a critical flaw in the module’s “message security” logic, which simply accepted a fixed string provided by the caller as proof of validity. This allowed anyone who examined the contract code to reuse the string and execute arbitrary call data, effectively granting control over funds. Because the affected Gnosis Safes had registered the module as trusted, transfers could be made without additional owner signatures. Over roughly two hours, the attacker siphoned assets from 86 multisigs, swapped them into DAI via a custom Uniswap V3 pool, and consolidated over 3.07 million DAI into a single address.
Squid’s response and user reassurance
Squid stated unequivocally that its core router contract (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) was not involved in any malicious transactions, and all user funds, approvals, and integrated services remain secure. The team clarified that the "SquidRouterModule" was neither developed, deployed, nor operated by Squid; the name was chosen independently by a third-party integrator. No user reimbursement program has been announced, as the protocol itself was not at fault.
Broader implications for DeFi security
The event highlights the layered risks of composability in decentralized finance. While Squid’s own contracts are sound, the incident demonstrates how peripheral modules with weak security can create attack vectors completely outside a protocol’s audits. It also underscores the importance for Gnosis Safe users to regularly audit and revoke permissions for connected modules, as any registered module inherits significant wallet authority. Despite the protocol’s distancing efforts, the branding association has inevitably linked “Squid” with the hack, a reputational blow for a team that otherwise provides robust cross-chain routing.
