Squid says it did not deploy $3.2M exploit module

Squid said a $3.2 million module that allowed an external actor to move assets was not deployed by the company and is now the subject of internal and external investigations. The component granted the ability to execute transactions against the project’s smart-contract infrastructure and was not authorized by Squid.

Squid described the component as a third-party module attached to its smart contracts that enabled the unauthorized transfer of about $3.2 million in assets. The company said the transfers occurred through actions taken via the module and not through Squid’s own deployment processes.

The issue was identified during routine monitoring. Squid disabled affected functions where possible and engaged blockchain security specialists to trace the flow of funds. The company is cooperating with relevant authorities and has notified platform partners and some custodians to help contain further movement of the assets.

In a written statement, a Squid spokesperson wrote, “We did not deploy the $3.2 million module and do not know who did.” The company added it is reviewing access controls, administrative keys, and third-party integrations to determine how the module was introduced.

Squid said the module was developed and deployed outside normal change-management procedures. The firm is examining audit logs and smart-contract history to identify the origin of the deployment and any actors involved, and it declined to provide technical details about the code while forensic teams complete their review.

The company noted that external modules can extend functionality but, if integrated without full vetting or if privileges are misconfigured, they can create new attack paths. Squid said it will strengthen its review process for third-party code and require additional safeguards before any external module can be connected to production contracts.

Squid outlined next steps that include a full forensic audit, faster disclosure of findings to users and partners, and a plan to roll back or disable any remaining third-party components that are not verified. The company said it will publish a detailed account of the incident and remediation measures after investigators complete their technical analysis.