Attackers Drain $3.2 Million From 86 Gnosis Safes After SquidRouterModule Exploit

Attackers siphoned about $3.2 million from 86 Gnosis Safes across Ethereum and Base in roughly two hours after exploiting a smart contract called “SquidRouterModule.”

“Source: PeckShieldAlert The suspected root cause is a vulnerability in SquidRouterModule, which allegedly allowed the attacker to impersonate authorized delegates and trigger unauthorized token swaps, Blockaid said”

Cointelegraph

Security warnings issued on May 25, 2026 said the stolen funds were converted into approximately $3 million in DAI tokens via attacker-controlled Uniswap V3 pools.

Cointelegraph

The exploit was tied to delegated execution permissions inside the third-party Safe wallet module, and Blockaid said the attacker later consolidated proceeds into a wallet holding roughly 3.07 million DAI.

PeckShield reported details of the SquidRouterModule exploit, including the flow of funds that involved TornadoCash and exchanging all tokens for DAI.

The suspected root cause was a flaw in the module’s executeSameChainActions() path, which Blockaid said allowed the attacker to bypass verification checks and trigger arbitrary swaps from affected Safes without normal multisignature approvals.

Safe Labs CEO Rahul Rumalla said the compromised accounts “do not seem to be operated on official Safe Wallet product,” and he added that investigators still did not know where the wallets were originally created and managed.

Rumalla also said Safe Shield, the company’s built-in warning system powered by Blockaid, had already identified the module as malicious before the incident, and he described it as alerting users when unverified modules or guards request dangerous permissions.

crypto.news

Squid denied involvement, saying in a statement posted on X that the exploited contract merely shared the SquidRouterModule name and had “no connection to Squid’s production router architecture.”

Squid further stressed that “this incident is unrelated to Squid’s core protocol and contracts,” while describing the event as a third-party smart-wallet module exploit unrelated to Squid’s official contracts or services.

Cointelegraph reported that the suspected root cause was a vulnerability in SquidRouterModule that allegedly allowed the attacker to impersonate authorized delegates and trigger unauthorized token swaps, according to Blockaid.

The theft was estimated at between $3 million and $3.2 million, with about $3 million being drawn within less than 120 minutes, after the attacker exchanged stolen assets into DAI via Uniswap V3 pools.

“Security warnings issued on May 25, 2026, indicate that about $3”

MEXC Exchange

The incident highlighted that Gnosis Safe modules can execute actions directly once users grant trusted permissions, and the sources said the affected users added the module to their Gnosis Safe as a trusted component.

Blockaid said the exploit allowed the attacker to exchange legitimate assets for a worthless attacker-created token identified as “u,” before liquidity was removed and the proceeds were converted into DAI.

Squid’s position was that its main 0xce16F router contract and user funds were unaffected, and it reiterated that “Squid’s core cross chain routing remains unaffected,” while it continued to monitor the situation and coordinate with security firms.

The broader consequence described by the sources was that the attack added to a growing list of DeFi security incidents reported in 2026, with TradingView noting that the exploit did not originate from Squid Router’s core infrastructure but from a third-party module flaw.