Squid, a cross-chain routing protocol, says its system wasn’t affected amid reports that hackers stole $3 million through a third-party tool.
Blockaid, an on-chain security firm, said in a Monday post on X that it detected an exploit targeting SquidRouterModule, saying 86 Safe wallets were drained in about two hours and that the stolen tokens were swapped into DAI▼$0.9997 through attacker-controlled Uniswap V3 pools.
Safe wallets, crypto wallets often used by teams and funds to hold shared assets, can give trusted add-ons permission to run transactions. In this particular instance, according to Squid, the compromised wallets must have allowed access to an erroneous third-party application through which the attack occurred.
That permission seems to be at the heart of the matter as the analysts said the attacker used the module to masquerade as authorized delegates on the victim wallets to perform swaps.
Read also: Hackers Breached 3,800 Internal GitHub Repositories. Should You Be Worried?
Module Wasn’t Operated by Squid
After the news broke, Squid said that the exploit was nothing to do with its own router and any of its core contracts, saying the hack is “unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.”
The confusion arose due to the naming of the vulnerable contract as Squid stated that the compromised contract was registered on Basescan, a blockchain explorer, under the name “SquidRouterModule,” yet it “was not built, deployed, or operated by Squid.”
According to Squid, the module incorrectly considered the code word publicly used by anyone to be evidence of the legitimacy of the transaction. That code word could easily be seen by the attacker through the contract, thus allowing him to get the transactions approved by the module.
Read more: Bitcoin DeFi Protocol Echo Loses $816K After Admin Key Hack
