Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.
Cross-chain platform Squid Router, which recently raised $6 million from Ripple, mistakenly found itself at the center of a scandal due to a hacker attack on third-party software with a similar name. Initial reports on social media claimed that $3 million had been stolen from the protocol, but on-chain analysis and official statements from the developers refuted these rumors.
As revealed from reports by Blockaid and PeckShield, due to a critical vulnerability in the code of the third-party SquidRouterModule module, the attacker was able to bypass the security check using a publicly available text string and impersonate a trusted delegate. Since the affected users had previously added this defective contract to their wallets as trusted, the hacker gained the right to spend their assets without personal signatures.
Through Uniswap V3, the hacker forcibly swapped the victims' real tokens for fake tokens, then extracted liquidity and withdrew the funds to wallet "0xA447...54859". As a result, the hacker drained 86 Gnosis Safe addresses across Ethereum and Base in just two hours, stealing 3.07 million DAI.
Why is Squid Router not involved?
The panic in the media arose solely because of the name of the vulnerable contract. The Squid Router team and its co-founder known online as "fig" quickly stated that the SquidRouterModule contract belongs to an unknown third-party smart wallet that integrated Squid without the developers' knowledge. The platform's original contract, "0xce16F69375520ab01377ce7B88f5BA8C48F8D666", has a different architecture and was not affected.
User funds and approvals across all 100+ networks are fully safe.
The attempt to damage Squid's reputation happened at the moment of the project's maximum media rise: on May 22, the platform announced a strategic $6 million round from Ripple, North Island Ventures and angels from Axelar and Ledger. These funds are aimed at expanding the ecosystem, which since 2023 has already processed more than $6 billion in volume for one million users.
The incident has no impact on the operations, infrastructure or development plans of the legitimate DeFi protocol.
Dan Burgin
