A major crypto security breach linked to the SquidRouterModule drained around $3 million from 86 Gnosis Safe wallets across Ethereum and Base within just two hours.
Key Takeaways
- Blockaid detected an active exploit targeting the SquidRouterModule on Ethereum and Base.
- Around 86 Gnosis Safe wallets were drained, with estimated losses reaching $3 million.
- The attacker reportedly converted stolen funds into DAI using Uniswap V3 pools.
- Squid stated that the vulnerable module was not developed or operated by its core team.
What Happened?
Blockchain security firm Blockaid reported on May 25 that attackers exploited a vulnerability connected to the SquidRouterModule, leading to the draining of dozens of Gnosis Safe wallets across Ethereum and Base networks.
According to the investigation, the exploit unfolded rapidly, with attackers moving stolen assets through Uniswap V3 pools before consolidating the funds into DAI. Squid later clarified that the compromised module was operated by a third party and was not part of its core routing infrastructure.
π¨ Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.
β Blockaid (@blockaid_) May 25, 2026
86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in π§΅
Blockaid Detects Active Exploit Across Ethereum and Base
Blockaid said it identified suspicious activity involving the SquidRouterModule after attackers began draining wallets tied to Gnosis Safe integrations. Within roughly two hours, around 86 wallets had already been compromised.
The security firm stated that the attacker swapped stolen assets into DAI through attacker controlled Uniswap V3 pools. The exploit reportedly involved tokens including USDC, USDT, and ENA before the funds were consolidated into a separate wallet.
Blockaid also shared details of the alleged exploiter address, identified as:
β0x9bdc730183821b6bb2b51be30b77c964fa645b91β
According to Etherscan data referenced in the reports, the address had been funded through Tornado Cash and showed dozens of transactions connected to the exploit activity.
A separate consolidation wallet reportedly held around 3.07 million DAI, alongside a small ETH balance following the attack.
Squid Distances Core Protocol From Vulnerable Module
Following the reports, Squid issued a clarification stating that the affected SquidRouterModule was not developed, deployed, or operated by the core Squid team.
The protocol explained that the compromised contract was actually a third party Gnosis Safe module that independently integrated with protocols like Squid. The company stressed that there had been no prior operational relationship between Squid and the vulnerable module provider.
This incident is unrelated to Squidβs core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.
β squid (@squidrouter) May 25, 2026
A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable⦠https://t.co/I3gGmdBvE9
According to Squid, the exploit originated from a flaw in the third party moduleβs message verification system. The module reportedly accepted a fixed string supplied directly by the caller for security validation.
Attackers allegedly exploited the publicly visible verification string found in the contractβs verified code to execute arbitrary call data and steal funds from connected wallets.
Squid emphasized that its own routing contract architecture differs completely from the compromised module. The team added that user funds, authorizations, and protocol integrations tied directly to Squid remain secure and unaffected.
The project also noted that investigations into the incident are still ongoing.
Recent Funding Round Draws Attention
The exploit comes shortly after Squid announced the completion of a $6 million funding round led by North Island Ventures.
Other participants included Ripple, Dialectic, Borderless Capital, Scenius Capital, along with angel investors tied to projects such as Axelar, Ledger, Polymer Labs, Enso, and Peanut.
The timing of the exploit has placed additional attention on cross-chain infrastructure security, especially around wallet modules, bridges, and permission systems connected to decentralized finance protocols.
DeFi Security Risks Continue to Grow
The SquidRouterModule exploit adds to a growing list of crypto attacks seen throughout May. Security researchers have recently flagged multiple incidents involving wallet permissions, private key compromises, proxy contracts, and bridge infrastructure.
Industry data cited in recent reports showed that crypto related exploits have resulted in more than $17 billion in losses over the past decade.
Security experts continue warning that attackers are increasingly targeting infrastructure layers surrounding smart contracts instead of focusing only on protocol code itself.
CoinLawβs Takeaway
In my experience, incidents like this show how dangerous third party integrations can become inside DeFi ecosystems. Even if a core protocol remains secure, connected modules and wallet permissions can quietly become weak entry points for attackers.
I found Squidβs clarification important because it highlights a growing issue in crypto where users often cannot distinguish between official infrastructure and independently built integrations. As DeFi systems become more connected, projects will likely face increasing pressure to audit not only their own code but also the external modules interacting with their ecosystems.
