BlockSec

This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable contract is verified on Basescan under the name “SquidRouterModule” but this contract was not built, deployed, or operated by Squid. It is a third-party smart-wallet product that chose to integrate with Squid, among other protocols, but has not been in contact with us. The exploit worked because the third-party module accepted a caller-supplied constant string as proof that a message was secure. If you pass in this string (which is publicly available in the verified contract’s code), then you can execute an array of arbitrary calldata, stealing funds at will. The victims’ Safes had added this faulty contract as a trusted Safe Module, which gives the contract the ability to spend any tokens in the Safe without signatures. Squid’s own router (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) is architecturally different and was not touched. Squid user funds, approvals, and integrations are fully secure. Early public reporting may reference “SquidRouter” due to the contract’s verified name on Basescan. The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract. The contract shares our name but is not our code. We are monitoring the situation and will share updates if anything changes materially.

📣 Transit Announcement Regarding a recent incident related to historical legacy risks, we would like to share the following update: 1️⃣ Cause of the Incident The issue was related to an early-version smart contract previously deployed on TRON. Although this legacy contract had been deprecated since 2022, historical vulnerabilities within it were recently exploited, affecting a limited number of users. 2️⃣ Actions Taken Upon discovery, our team immediately carried out investigation, isolation, and mitigation measures, followed by additional review and remediation on May 12, 2026. Users do not need to take any action. The current smart contract version remains unaffected and has been operating securely for over four years, with ongoing security audits, testing, and monitoring in place. We will continue strengthening the management of legacy contracts and potential on-chain risks to further improve overall security. 3️⃣ Compensation Affected users will receive full compensation, with further details to be announced through our official channels. 4️⃣ Security Reminder • Please remain cautious of unsolicited messages or accounts claiming to represent Transit Finance. • Never share your private key or seed phrase with anyone. Transit Team

Attention Aftermath community - We’ve identified an exploit affecting the protocol. Our team is actively investigating alongside leading security partners. As a precaution, the protocol has been paused and measures are being taken to minimize potential impact to user funds. We’ll continue to share updates as we learn more. Thank you for your patience.

The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications. After significant technical diligence and deliberation, the Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users. As of April 20 11:26pm ET the funds have been successfully transferred to an intermediary frozen wallet. They are no longer accessible to the address that originally held the funds, and can only be moved by further action by Arbitrum governance, which will be coordinated with relevant parties.