News linked to both this project and an event.
Humanity released a post-mortem report on the H token security incident that occurred between June 8 and 9, stating that the incident was not caused by a smart contract vulnerability, but rather by a malware intrusion into a developer's device, which led to the leakage of private keys. Humanity stated that the attacker still holds the ProxyAdmin permissions for the ETH bridge and the BNB Chain token. Preliminary investigations confirmed that a colleague's device was infected with malware, which the attacker used to obtain the hot wallet private key of the administrator and the private keys for signing on 6 Gnosis Safe wallets. The team has hired an external security agency to conduct a forensic investigation and stated that they are formulating a recovery plan for affected users.
Humanity released an incident update stating that its H token was subject to a coordinated attack on Ethereum and BSC on the evening of June 8, resulting in approximately $36 million worth of tokens stolen and dumped across both chains. The project disclosed that the attack originated from a compromised employee laptop, which led to the leakage of multiple owner keys for the Gnosis Safe controlling the Hyperlane bridge ProxyAdmin. On Ethereum, the attacker seized ownership of the ProxyAdmin and upgraded the contract to a malicious implementation, transferring approximately 141.2 million H tokens in a single transaction. On BSC, after similarly gaining control of the ProxyAdmin, the attacker deployed a malicious implementation with infinite minting capabilities, minting 200 million H tokens in two transactions and continuously dumping them. Humanity has suspended deposits and withdrawals on the affected cross-chain bridge and is cooperating with exchanges and law enforcement to investigate the incident and seek partial recovery of the stolen funds.
Humility Protocol released a security incident update on the X platform, stating that its H token suffered a coordinated attack on the Ethereum and BSC chains yesterday, with confirmed losses exceeding $36 million in stolen and dumped assets.Preliminary investigations indicate the incident originated from a compromised employee computer, which led to the leakage of private keys for the multi-signature wallet controlling the Hyperlane Bridge ProxyAdmin. Specifically, the attacker obtained 3 out of 6 private keys of the Gnosis Safe wallet on the Ethereum chain, transferred ownership of the ProxyAdmin to a wallet under their control, upgraded the bridge contract to a malicious implementation, and subsequently transferred approximately 141.2 million H tokens in a single transaction.Simultaneously, the attacker also gained control of 3 out of 5 private keys of the Safe wallet on the BSC chain, took over the ProxyAdmin using the same method, deployed a malicious contract with unlimited minting functionality, and minted 200 million H tokens in two separate transactions to their own wallet.Humility stated that it has suspended all deposit and withdrawal operations on the affected bridge services and is collaborating with partners such as exchanges to mitigate losses. Meanwhile, it is cooperating with the police investigation and attempting to recover part of the stolen funds.
Ledger's Donjon security research team successfully bypassed the firmware verification system of the TROPIC01 chip inside the Trezor Safe 7 using laser attacks in a laboratory setting. Chip manufacturer Tropic Square subsequently discovered another attack path affecting the chip's MAC-and-Destroy security mechanism. This vulnerability currently impacts all TROPIC01 chips in production within the field. Trezor stated that the TROPIC01 chip is one of three independent security layers within the Trezor Safe 7, and user funds, wallet backups, and private keys are not stored on it.The chip's hardware encryption storage mechanism completely withstood Ledger's extraction attempts during initial testing. Tropic Square has delayed the release of technical details regarding the vulnerability until the launch of a reinforced silicon version of the TROPIC01 chip later in 2026, with full details expected to be disclosed in the spring of 2027.A firmware mitigation is currently available by disabling the chip's MAINTENANCE mode. Trezor CEO Matej Zak stated that PINs, wallet backups, and user fund keys have never been stored on a single chip. (The Block)
According to The Block, Martin Koppelmann, co-founder and CEO of Gnosis, stated that Gnosis Pay was compromised due to a vulnerability in the Zodiac Delay Module. Attackers were able to initiate transactions from Safe wallets equipped with this module. Gnosis will cover all user losses. Gnosis is currently requesting bridge validators to pause related operations to contain the impact.
SUPERFORTUNE AI released a 24-hour investigation update stating that the May 27 GUA security incident was not, as previously suspected, address poisoning—but rather resulted from the leakage of private keys belonging to multi-signature signers. The attacker then forged valid signatures pointing to a malicious address and exploited the “premium address” feature—where the malicious address shared the same first four and last four characters as the legitimate address—to mislead the remaining signers into completing the signing process via the Safe interface.
Cosine, founder of SlowMist, posted an analysis of the Squid security incident on X. He stated that sampling revealed all affected Safe wallets were single-signature, with different owners—but the issue was not related to private keys. Rather, the vulnerability lay in the module shown in the image (SquidRouterModule) used by these Safe addresses. Attackers could forge messages and easily bypass relevant validations to initiate subsequent swap operations, thereby draining funds from the targeted Safe wallets. Additionally, Cosine disclosed the attacker’s profit accumulation address. Earlier reports indicated that a third-party Gnosis Safe module was exploited on Base and Ethereum, causing approximately $3.2 million in losses. The victims were 86 Gnosis Safe wallets that had added this contract as a trusted Safe Module. The contract is named “SquidRouterModule” on Basescan. Subsequently, Squid clarified that it was not impacted by the Gnosis Safe-related vulnerability incident.
Odaily news Squid posted on X platform, stating that this incident is unrelated to the Squid core protocol and contracts. All Squid users and integrators are unaffected and no action is required.Today, a third-party Gnosis Safe module on the Base and Ethereum networks was attacked, resulting in a loss of approximately $3.2 million. The vulnerable contract is verified on Basescan under the name "SquidRouterModule," but this contract was not built, deployed, or operated by Squid. It is a third-party smart wallet product that chose to integrate with Squid and other protocols, and has no connection with Squid.The attack principle is that this third-party module accepts a constant string provided by the caller as a message security proof. This string is publicly visible in the verified contract code. By inputting this string, the attacker could execute arbitrary calldata arrays and freely steal funds. The victim's Safe wallet had added this problematic contract as a trusted Safe Module, allowing the contract to control any tokens within the Safe without requiring a signature. Squid's own router contract (0xce16...D666) has a different architecture and was unaffected. Squid users' funds, authorizations, and integrations are completely safe.Early public reports may have mentioned "SquidRouter" due to the contract verification name on Basescan. The accurate description should be: a third-party SquidRouterModule was attacked, not Squid's Router contract. This contract shares the name with Squid, but it is not Squid's code. Squid is continuously monitoring the situation and will provide updates if there are any significant changes.
according to Blockaid monitoring, it detected an ongoing attack targeting the SquidRouter module on the Ethereum and Base chains. Within approximately 2 hours, 86 Gnosis Safe wallets were drained of about $3 million in assets. All stolen tokens were swapped for DAI via a Uniswap V3 pool controlled by the attacker.
According to The Block, Avihu Levy, a researcher at StarkWare, published a paper proposing the Quantum Safe Bitcoin (QSB) scheme, claiming it enables quantum-resistant transactions under Bitcoin’s existing script rules—without requiring a soft fork. This scheme replaces elliptic-curve cryptography with the RIPEMD-160 hash function via a “hash-to-signature” puzzle, thereby enhancing resilience against quantum attacks. The paper notes that QSB’s current per-transaction cost ranges from $75 to $150—significantly higher than today’s average transaction fee—and involves complex user experience; thus, it is recommended only as a “last resort.” The scheme remains constrained by script opcodes and size limits, and does not yet support all use cases—such as the Lightning Network. Compared to BIP-360—which requires protocol-level changes—QSB needs no modifications to the Bitcoin protocol, but remains experimental.