Squid, the decentralized cross-chain liquidity protocol, has denied links to a third-party “SquidRouterModule” that was hit by an exploit on Monday. At the time of writing, a smart contract verified under the name “SquidRouterModule” on Basescan, was under an active exploit on the Ethereum and Base blockchains. Squid has claimed that the incident does not threaten its core protocol and contracts — asking users to not initiate any action in panic.
The attack, which has already resulted in the loss of roughly $3 million worth of DAI tokens, was first flagged by on-chain security firm Blockaid on Monday.
Third-party contract, same name, no connection: Squid
Now, the renowned SquidRouterModule is a smart contract module developed by decentralized cross-chain liquidity protocol, Squid Router. The contract essentially manages tasks like token swaps, bridging, and smart contract execution across multiple blockchains like Ethereum and Base. It automatically routes user funds via the most efficient liquidity paths to facilitate cross-chain transactions.
Following an attack being flagged by Blockaid and PeckShield on this supposed “SquidRouterModule”, Squid Router launched an internal investigation and shared a detailed account of its own findings.
The platform claimed that what has been exploited protocol is a third-party SquidRouterModule — which shares its name with Squid’s own such contract, but is not their code.
“A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2 million in losses. It is a third-party smart-wallet product that chose to integrate with Squid but has not been in contact with us. The vulnerable contract is verified on Basescan under the name ‘SquidRouterModule’ but this contract was not built, deployed, or operated by Squid,” said the platform followed by over 54,800 accounts on X.
Squid said it is monitoring the case and will share updates.
Here’s what on-chain security firms had found out
In a post on X Blockaid said, “86 Gnosis Safes drained for ~$3M in ~2 hours. All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.”
The security platform published the wallet addresses of the exploiter and the consolidation wallet holding the stolen funds.
Explaining the most likely cause of the attack Blockaid said, “Attacker deployed Foundry-based exploit contracts that called the module’s DelegateBundler path to impersonate authorized delegates on victim Safes.”
Under Blockaid’s post, Squid Router co-founder Fig acknowledged the attack but claimed that all Squid users were safe.
PeckShield, also tracking developments related to the exploit, went on to claim that the attacker has already started swapping the stolen DAI tokens via crypto mixer Tornado Cash to break most trace-back chains to the acquired tokens, making the identification of the attacker more complicated.
Questions that remain unanswered for now
Now that Squid Router has cleared its own name from this incident of exploit, a bunch of critical questions have risen around the situation.
While the compromised “SquidRouterModule” contract is verified under that specific title on blockchain explorers like BaseScan, the real identity of the product—and the developers behind it—remains completely unknown.
Other details like where was this affected contract being funded from and whether or not more funds were at risk of being stolen also remained unclear as of press time.
The Coin Headlines has reached out to Blockaid to get an in-depth undertanding on the case and is awaiting responses.
DeFi protocols continue to be under the looming threat of exploits after an array of major incidents having made it to the headlines in recent times. The attacks on Kelp DAO’s cross-chain bridge and Drift Protocol recently resulted in the losses of $292 million and $285 million from the crypto ecosystem.