--- title: "86 Gnosis Safe Wallets Hit in $3M Squid Exploit" date: 2026-05-25 author: "Kelvin Scott" featured_image: "https://coinlaw.io/wp-content/uploads/2026/05/gnosis-safe-wallets-hit-in-3m-squid-exploit.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # 86 Gnosis Safe Wallets Hit in $3M Squid Exploit A major crypto security breach linked to the SquidRouterModule drained around $3 million from 86 Gnosis Safe wallets across Ethereum and Base within just two hours. ## Key Takeaways - Blockaid detected an active exploit targeting the SquidRouterModule on Ethereum and Base. - Around 86 Gnosis Safe wallets were drained, with estimated losses reaching $3 million. - The attacker reportedly converted stolen funds into DAI using Uniswap V3 pools. - Squid stated that the vulnerable module was not developed or operated by its core team. ## What Happened? Blockchain security firm Blockaid reported on May 25 that attackers exploited a vulnerability connected to the SquidRouterModule, leading to the draining of dozens of **Gnosis Safe wallets** across Ethereum and Base networks. According to the investigation, the exploit unfolded rapidly, with attackers moving stolen assets through **Uniswap V3 pools** before consolidating the funds into DAI. Squid later clarified that the compromised module was operated by a third party and was not part of its core routing infrastructure. > 🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base. > > 86 Gnosis Safes drained for ~$3M in ~2 hours. > All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools. > More details in 🧵 > > — Blockaid (@blockaid\_) [May 25, 2026](https://twitter.com/blockaid_/status/2058875782810726556?ref_src=twsrc%5Etfw) ## Blockaid Detects Active Exploit Across Ethereum and Base Blockaid said it identified suspicious activity involving the **SquidRouterModule** after attackers began draining wallets tied to Gnosis Safe integrations. Within roughly two hours, around 86 wallets had already been compromised. The security firm stated that the attacker swapped stolen assets into DAI through attacker controlled [Uniswap](https://coinlaw.io/uniswap-statistics/) V3 pools. The exploit reportedly involved tokens including **USDC, [USDT](https://coinlaw.io/tether-statistics/), and ENA** before the funds were consolidated into a separate wallet. Blockaid also shared details of the alleged exploiter address, identified as: “**0x9bdc730183821b6bb2b51be30b77c964fa645b91**” According to Etherscan data referenced in the reports, the address had been funded through Tornado Cash and showed dozens of transactions connected to the exploit activity. A separate consolidation wallet reportedly held around **3.07 million DAI**, alongside a small ETH balance following the attack. ## Squid Distances Core Protocol From Vulnerable Module Following the reports, Squid issued a clarification stating that the affected SquidRouterModule was not developed, deployed, or operated by the core Squid team. The protocol explained that the [compromised contract](https://coinlaw.io/smart-contract-security-risks-and-audits-statistics/) was actually a third party Gnosis Safe module that independently integrated with protocols like Squid. The company stressed that there had been no prior operational relationship between Squid and the vulnerable module provider. > This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. > > A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… > > — squid (@squidrouter) [May 25, 2026](https://twitter.com/squidrouter/status/2058890710611276238?ref_src=twsrc%5Etfw) According to Squid, the exploit originated from a flaw in the third party module’s message verification system. The module reportedly accepted a fixed string supplied directly by the caller for security validation. Attackers allegedly exploited the publicly visible verification string found in the contract’s verified code to execute arbitrary call data and steal funds from connected wallets. Squid emphasized that its own routing contract architecture differs completely from the compromised module. The team added that user funds, authorizations, and protocol integrations tied directly to Squid remain secure and unaffected. The project also noted that investigations into the incident are still ongoing. ## Recent Funding Round Draws Attention The exploit comes shortly after Squid announced the completion of a **$6 million funding round** led by **North Island Ventures**. Other participants included **Ripple, Dialectic, Borderless Capital, Scenius Capital**, along with angel investors tied to projects such as **Axelar, Ledger, Polymer Labs, Enso, and Peanut**. The timing of the exploit has placed additional attention on cross-chain infrastructure security, especially around wallet modules, bridges, and permission systems connected to decentralized finance protocols. ## DeFi Security Risks Continue to Grow The SquidRouterModule exploit adds to a growing list of [crypto attacks](https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/) seen throughout May. Security researchers have recently flagged multiple incidents involving wallet permissions, private key compromises, proxy contracts, and bridge infrastructure. Industry data cited in recent reports showed that crypto related exploits have resulted in more than **$17 billion in losses over the past decade**. Security experts continue warning that attackers are increasingly targeting infrastructure layers surrounding smart contracts instead of focusing only on protocol code itself. ## CoinLaw’s Takeaway In my experience, incidents like this show how dangerous third party integrations can become inside [DeFi ecosystems](https://coinlaw.io/decentralized-finance-market-statistics/). Even if a core protocol remains secure, connected modules and wallet permissions can quietly become weak entry points for attackers. I found Squid’s clarification important because it highlights a growing issue in crypto where users often cannot distinguish between official infrastructure and independently built integrations. As DeFi systems become more connected, projects will likely face increasing pressure to audit not only their own code but also the external modules interacting with their ecosystems. Definition of Blockchain. Link to full glossary entry follows the description.**Blockchain**A distributed digital ledger that records transactions across a network, with each block cryptographically linked to the previous one for security. [Read more](https://coinlaw.io/glossary/blockchain/) Definition of Smart Contract. Link to full glossary entry follows the description.**Smart Contract**A smart contract is a self-executing program stored on a blockchain that automatically enforces agreement terms when predefined conditions are met, without intermediaries. [Read more](https://coinlaw.io/glossary/smart-contract/) Definition of DeFi. Link to full glossary entry follows the description.**DeFi**Decentralized finance leverages blockchain protocols and [smart contracts](https://coinlaw.io/glossary/smart-contract/) to enable lending, trading, and borrowing without banks or traditional intermediaries. [Read more](https://coinlaw.io/glossary/defi/) Definition of Cross-Chain. Link to full glossary entry follows the description.**Cross-Chain**Cross-chain is the ability to move data or assets between separate blockchains via bridges, messaging protocols, or interoperability networks. [Read more](https://coinlaw.io/glossary/cross-chain/)