TheBlock
Cross-chain liquidity router Squid has moved to distance itself from a $3.2 million exploit tied to a third-party module integrated into its protocol, issuing a statement that the team had no knowledge of who deployed the compromised component. The phrasing — 'we don't know who deployed this' — is a pointed signal that the attack vector was not native Squid code, but an external module whose provenance is now under scrutiny.
The incident highlights a persistent and underappreciated risk in DeFi composability: protocols inherit the attack surface of every third-party module they integrate, regardless of who wrote it. A $3.2 million loss attributed to an unverified deployment raises hard questions about the audit and access-control processes governing what gets plugged into live liquidity infrastructure.
WuBlockchain
Lookonchain
CoinDesk