GP

This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable contract is verified on Basescan under the name “SquidRouterModule” but this contract was not built, deployed, or operated by Squid. It is a third-party smart-wallet product that chose to integrate with Squid, among other protocols, but has not been in contact with us. The exploit worked because the third-party module accepted a caller-supplied constant string as proof that a message was secure. If you pass in this string (which is publicly available in the verified contract’s code), then you can execute an array of arbitrary calldata, stealing funds at will. The victims’ Safes had added this faulty contract as a trusted Safe Module, which gives the contract the ability to spend any tokens in the Safe without signatures. Squid’s own router (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) is architecturally different and was not touched. Squid user funds, approvals, and integrations are fully secure. Early public reporting may reference “SquidRouter” due to the contract’s verified name on Basescan. The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract. The contract shares our name but is not our code. We are monitoring the situation and will share updates if anything changes materially.

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

⚠️ Spammers are sending fake "USDC.axl" on Osmosis. It shows the real USDC logo but is worthless and can't be swapped. As long as you don't visit any websites linked in these transfers, your assets are safe. The denom is leftover from a 2022 IBC vulnerability that was patched long ago. It doesn't affect users today and is only being used as phishing bait. A wallet update with the denom blocked is pending app store review. 🚫 Never enter your seed phrase on any website 🚫 Don't click links in tx memos or "USDC claim" pages Stay safe.

@nurayuofficial Ga usah heran sama kendaraan di Gading serpong, disana banyak bawa dan parkir mobil dan motor ngasal, harus extra hati-hati. Beberapa bulan lalu, logo BSD yang baru di pasang aja di hajar sama warga GS. Paling males kalo ke daerah sana, SMS, Maggiore dan sekitarnya.