SlowMist Yu Xian: The Squid security incident did not stem from private key issues but rather from a vulnerability in the Safe Wallet’s “as shown in the figure” module.

Cosine, founder of SlowMist, posted an analysis of the Squid security incident on X. He stated that sampling revealed all affected Safe wallets were single-signature, with different owners—but the issue was not related to private keys. Rather, the vulnerability lay in the module shown in the image (SquidRouterModule) used by these Safe addresses. Attackers could forge messages and easily bypass relevant validations to initiate subsequent swap operations, thereby draining funds from the targeted Safe wallets. Additionally, Cosine disclosed the attacker’s profit accumulation address. Earlier reports indicated that a third-party Gnosis Safe module was exploited on Base and Ethereum, causing approximately $3.2 million in losses. The victims were 86 Gnosis Safe wallets that had added this contract as a trusted Safe Module. The contract is named “SquidRouterModule” on Basescan. Subsequently, Squid clarified that it was not impacted by the Gnosis Safe-related vulnerability incident.