-1.51%
-1.60%
-3.06%
-1.89%
-2.02%
+11.28%
SquidRouterModule, was exploited across the Ethereum and Base networks, leading to the draining of approximately $3.2 million from 86 different Safes in roughly two hours. Despite initial reports, Squid, the decentralized exchange aggregator, quickly clarified that its core router infrastructure was not compromised and remained unaffected by the incident.
Gnosis Safe Module Exploit Drains Millions
The exploit, which occurred on May 26, 2026, saw attackers convert stolen assets via Uniswap V3 into a worthless “u” token before consolidating about 3.07 million DAI. These funds are currently held in a wallet beginning with 0xa447...54859. Blockchain security firms Blockaid and PeckShield were among the first to report details surrounding the incident, highlighting the rapid nature of the attack.
Early public reporting initially linked the exploit directly to the Squid protocol due to the module’s name. However, Squid issued a clarification, stating that the vulnerable contract was not built, deployed, or operated by the project itself. According to the team, the compromised module independently integrated with Squid and other protocols, while Squid’s core router infrastructure maintained its integrity throughout the attack. Pseudonymous Squid co-founder Fig further emphasized on X that the module was unrelated to Squid’s core infrastructure.
The Mechanism Behind the Exploit
Security researchers indicate the attack was made possible because the SquidRouterModule module accepted a caller-supplied constant string as proof of a secure transaction message. This critical flaw allegedly allowed attackers to bypass signature verification mechanisms. By passing this value, attackers could execute arbitrary call data from victim wallets, effectively enabling them to spend tokens held in affected Safes without legitimate wallet approvals.
The incident underscores significant security challenges within the decentralized finance ecosystem, particularly concerning third-party module integrations. Security firms Blockaid and PeckShield noted that the exploit relied on Foundry-based exploit contracts targeting the module’s DelegateBundler execution path. Attackers impersonated authorized delegates tied to each Safe to initiate arbitrary token swaps through Uniswap V3 liquidity pools. This method of operation highlights the complex attack vectors that can emerge when external components interact with core DeFi protocols.
Vigilance Required in Complex DeFi Ecosystems
The SquidRouterModule exploit serves as a stark reminder of the risks associated with third-party integrations in the crypto space. Users and projects must exercise extreme vigilance and conduct thorough audits of all integrated modules, regardless of their perceived association with established protocols. The rapid consolidation of funds into DAI and the use of specially seeded liquidity pools demonstrate sophisticated attack strategies, emphasizing the need for continuous security enhancements and rapid response protocols across the DeFi landscape.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
