Cross-chain router Squid distanced itself from a third-party Gnosis Safe module, SquidRouterModule, after attackers drained about $3.2 million across Ethereum and Base.
Blockchain security firms flagged the exploit that affected 86 Gnosis Safe accounts in roughly 2 hours.
Squid Disowns $3.2 Million SquidRouterModule Exploit
Blockaid highlighted that the attacker swapped stolen tokens into Dai (DAI) through attacker-controlled Uniswap V3 pools.
Separately, security firm PeckShield said the attacker was originally funded with 2.1 ETH from Tornado Cash. Moreover, the firm added that the exploiter’s wallet 0xA447…54859 contained the stolen assets.
Follow us on X to get the latest news as it happens
Squid moved fast on X to separate its protocol from the exploited contract. The team said the “contract shares our name but is not our code.” It also stressed that none of its users were affected.
“Early public reporting may reference ‘SquidRouter’ due to the contract’s verified name on Basescan. The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract,” the team said.
On Basescan, the compromised contract carries the name “SquidRouterModule,” which sparked early confusion. Squid said the team had no role in writing the contract or pushing it on-chain. It described the module as a third-party smart-wallet product that integrated with multiple protocols, including Squid.
Squid’s actual router sits at 0xce16F69375520ab01377ce7B88f5BA8C48F8D666 and runs on a different design. That contract was not affected by the attack, and existing user balances, approvals, and platform integrations all remain safe.
“The exploit worked because the third-party module accepted a caller-supplied constant string as proof that a message was secure. If you pass in this string (which is publicly available in the verified contract’s code), then you can execute an array of arbitrary calldata, stealing funds at will. The victims’ Safes had added this faulty contract as a trusted Safe Module, which gives the contract the ability to spend any tokens in the Safe without signatures,” the protocol explained.
The episode is one of several crypto exploits to hit protocols this month. DefiLlama tracked more than 20 exploits in May 2026.
Subscribe to our YouTube channel to watch leaders and journalists provide expert insights
