Squid Says Unknown Third Party Deployed Module Behind $3.2 Million Exploit
The incident highlights security risks in modular DeFi wallet systems, as 86 Gnosis Safe wallets were drained through a third-party SquidRouterModule that Squid says was unrelated to its core protocol.
Security firms PeckShield and Blockaid said about $3.2 million was siphoned from 86 Gnosis Safe wallets in less than two hours on May 25, 2026, across Ethereum and Base. According to PeckShield, the attacker wallet 0xA447…54859, initially funded with 2.1 ETH from TornadoCash, converted the stolen assets into roughly $3 million in DAI through attacker-controlled Uniswap V3 pools. Blockaid said the victims had previously authorized the third-party SquidRouterModule as a trusted Safe Module with elevated privileges, allowing withdrawals without fresh user signatures. Updated reporting added that the module allegedly relied on a caller-supplied immutable string as a security check, which attackers could read from public source code and use to bypass protections. Squid stated the exploited contract was not built, deployed, or managed by Squid, and said its core protocol and official router contract were unaffected.
- Gnosis Safe: A smart contract wallet system used for multisignature custody and programmable asset management on blockchain networks.
- Safe Module: An extension contract that adds functions to a Gnosis Safe and can be granted permissions to execute actions on the wallet’s behalf.
- TornadoCash: A crypto mixing service that obscures the source and destination of blockchain funds by pooling and redistributing assets.