TechFlow News, May 26: Peihua “Cosine” Yu, founder of SlowMist, posted an analysis of the Squid security incident on X. He stated that sampling revealed all affected Safe wallets were single-signature, with different owners—but the issue was not related to private keys. Instead, the vulnerability lay in the SquidRouterModule (as shown in the figure), a module used by these Safe addresses. Attackers could forge messages to easily bypass relevant validations and initiate subsequent swap operations, thereby draining funds from the targeted Safe wallets. Additionally, Cosine disclosed the attacker’s profit accumulation address.
Earlier reports indicated that a third-party Gnosis Safe module was exploited on Base and Ethereum, resulting in approximately $3.2 million in losses. The victims were 86 Gnosis Safe wallets that had added this contract as a trusted Safe Module. The contract is named “SquidRouterModule” on Basescan. Subsequently, Squid clarified that it was unaffected by the Gnosis Safe-related vulnerability incident.
