Blockaid Flags $3M SquidRouterModule Exploit Draining 86 Gnosis Safes

Highlights:

• The SquidRouterModule exploit drained 86 Gnosis Safes across Ethereum and Base within nearly two hours.
• Attackers converted stolen funds into DAI through Uniswap V3 liquidity pools.
• Blockaid traced the exploiter wallet to Tornado Cash funding before the $3 million crypto drain.

Blockchain security firm Blockaid has detected an active exploit targeting SquidRouterModule-linked wallets on Ethereum and Base today. The attack drained 86 Gnosis Safes within nearly two hours. Blockaid estimated the losses at about $3 million after tracking the stolen assets across both networks.

Advertisement

🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.

86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵

— Blockaid (@blockaid_) May 25, 2026

Blockaid identified the exploiter address as 0x9bdc730183821b6bb2b51be30b77c964fa645b91. Etherscan data showed that Tornado Cash had funded the address before the exploit began. The same wallet recorded 52 transactions during the reported attack period.

The exploit targeted Safe smart accounts connected to the SquidRouterModule instead of the main Safe contract. Attackers used module-level execution permissions to move assets from connected wallets. Many affected Safes shared the same module path during the exploit window.

Blockaid also shared one example transaction that succeeded at 06:25:23 UTC on May 25. Etherscan records showed direct interaction between the exploiter wallet and another address linked to the reported fund flow.

Safe modules allow users to automate transactions and connect wallets with DeFi protocols. Some modules also hold permissions that allow direct transaction execution from connected Safes. The attackers exploited those permissions during the drain across Ethereum and Base.

SquidRouterModule Exploit Routes Stolen Assets Into DAI Pools

The attacker swapped stolen USDC, ENA, and USDT into DAI through attacker-controlled Uniswap V3 pools after draining the wallets. Blockaid said the exploiters routed funds through several swaps before consolidating the proceeds into one address.

Etherscan data showed the consolidation wallet held about 3.07 million DAI after the exploit. The same wallet also contained a small ETH balance during the tracking period. Blockaid linked the address directly to the exploit flow through onchain transaction records.

Uniswap V3 allows liquidity providers to place capital inside selected price ranges instead of wider shared pools. Concentrated liquidity pools can create thinner market depth during large abnormal swaps. Attackers used those liquidity conditions to process large token conversions during the exploit. The exploiters consolidated the stolen assets into DAI because decentralized exchanges provide deep stablecoin liquidity during large swaps.

Recent DeFi Breaches Push Safe Integrations and Permissions Into Focus

The SquidRouterModule exploit followed several major crypto hacks that security teams tracked throughout May. Blockaid also flagged a ShapeShift FOX Colony exploit earlier this month on Arbitrum. The initial losses reached about $132,700 before related activity pushed the total losses to roughly $182,700. Another exploit linked to TrustedVolumes drained nearly $6.7 million through a custom RFQ swap proxy.

🚨 Exploit Analysis | ShapeShift FOX Colony Authorization Trust Chain Flaw

SlowMist analyzed the recent ShapeShift FOX Colony exploit on Arbitrum, where attackers abused a semantic conflict between meta-transactions and DSAuth self-call authorization to hijack the resolver and…

— SlowMist (@SlowMist_Team) May 15, 2026

DefiLlama data recently showed hackers carried out 518 crypto exploits during the last decade. Those attacks caused more than $17 billion in total losses. The recent crypto exploits targeted private keys, wallet integrations, signing systems, and bridges alongside smart contract vulnerabilities.

The SquidRouterModule exploit also resembled a recent Aftermath attack on Sui that drained nearly $1.1 million USDC. Attackers drained those funds within 36 minutes before the protocol paused operations.

Squid has come out to clarify that the exploit did not affect its core protocol or router contracts. The company said attackers targeted a third-party Gnosis Safe module verified on Basescan under the name “SquidRouterModule.” However, Squid stated that the vulnerable contract was not built, deployed, or operated by its team.

This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.

A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… https://t.co/I3gGmdBvE9

— squid (@squidrouter) May 25, 2026

The company explained that the faulty module accepted a publicly available constant string as proof of a secure message. Attackers reportedly used that flaw to execute arbitrary calldata and drain connected Safes. Squid also stated that its router contract, user funds, approvals, and integrations remained secure throughout the incident.

Advertisement