Key Highlights
- About $3M was stolen from 86 Gnosis Safe wallets on Ethereum and Base in about two hours.
- The attack reportedly exploited a vulnerable third-party module (SquidRouterModule) that let attackers act like trusted users and drain funds.
- The stolen assets were swapped into DAI and moved into one main wallet (~3.07M DAI) after being drained through fake tokens and Uniswap V3 pools.
A $3M exploit hit 86 Gnosis Safe wallets on Ethereum and Base on Monday, after attackers allegedly used a vulnerable third-party module known as SquidRouterModule.
The issue was flagged by blockchain security firm Blockaid, which said on X that it was monitoring the active attack as funds were being stolen from many wallets at the same time.
According to the firm, the attack lasted about two hours, and the stolen funds were quickly converted into DAI stablecoin using Uniswap V3 pools controlled by the attacker.
How the attack happened
According to Blockaid, attackers used a flaw in the module’s executeSameChainActions() function, which allowed unauthorized execution inside Safe accounts. This gave attackers the ability to impersonate approved delegates and run actions as if they were legitimate users of the Safe system.
Blockaid reported that attackers deployed Foundry-based exploit contracts to trigger delegated calls through the vulnerable module. These calls allowed them to perform token swaps directly from victim Safes. A fake token called “u” was reportedly created with a large supply and was only used for the attack.
The token was paired with real assets inside pre-funded Uniswap V3 liquidity pools. After draining funds from Safes, attackers removed liquidity and completed swaps into stablecoins.
The stolen assets were then routed into a consolidation wallet reportedly holding about 3.07 million DAI, which became the main storage address for the proceeds.
On-chain data showed repeated drain patterns across multiple wallets, confirming that 86 Safes were affected across the Ethereum and Base networks.
Squid clarification and response
Squid, a decentralized cross-chain liquidity platform, quickly responded to the incident on X, clarifying that the “SquidRouterModule” contract was not part of its official system.
“This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed,” the team wrote.
They also confirmed that their official router contract (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) was not involved and is still safe.
Squid further stated that the issue came from a third-party Safe module that accepted a caller-supplied constant string as proof of authorization, which was visible in the contract code.
Because victims had added this module as a trusted Safe extension, it gained permission to execute transactions without requiring signatures.
The confusion stemmed from the similarity in contract names, which made the vulnerable module appear associated with Squid despite having no direct operational connection to the platform.
Crypto exploits continue in 2025
This incident adds to a growing list of exploits in 2026. According to recent data from PeckShield, hackers have stolen about $328.6 million across eight bridge-related exploits this year alone.
Separate data from Defillama showed that total crypto losses have exceeded $16.5 billion over time, with cross-chain bridge attacks accounting for roughly $3.22 billion of those losses.
Also Read: Verus Hacker Returns $8.5M After Bridge Exploit Deal
