Squid Distances Itself From $3.2M Third-Party Module Exploit
Squid Distances Itself From $3.2 Million Exploit of Third-Party Module – 86 Gnosis Safe Accounts Affected Across Ethereum and Base
Key Takeaways
- Attackers drained approximately $3.2 million from a third-party contract named SquidRouterModule.
- The exploit affected 86 Gnosis Safe accounts across Ethereum and Base within about two hours.
- Stolen assets were swapped into Dai (DAI) through attacker-controlled Uniswap V3 pools.
- Squid stated that its own router contract and users were not affected by the incident.
Exploit Targets Third-Party SquidRouterModule Contract
Cross-chain router protocol Squid has publicly distanced itself from a smart contract exploit that resulted in losses of around $3.2 million. The attack targeted a contract called SquidRouterModule, which carried the Squid name but was not developed or deployed by the Squid team.
Blockchain security firms reported that attackers drained funds from 86 Gnosis Safe accounts across Ethereum and Base in roughly two hours. Early references to “SquidRouter” were linked to the verified contract name on Basescan, which led to confusion about whether Squid’s core infrastructure had been compromised.
Squid clarified that the exploited module was a third-party smart wallet product that integrated with multiple protocols, including Squid, but was not part of its own codebase. According to the team, it had no role in writing the contract or pushing it on-chain.
Security Firms Trace Fund Movements and Attacker Wallet
Security firm PeckShield reported that the attacker was initially funded with 2.1 ETH originating from Tornado Cash. After executing the exploit, the attacker swapped the stolen tokens into approximately $3 million worth of Dai using attacker-controlled Uniswap V3 liquidity pools.
PeckShield identified the wallet 0xA447…54859 as holding the stolen assets. Blockaid also flagged the exploit and highlighted the token swaps into Dai.
The conversion into a stablecoin such as Dai can make the value of stolen assets less volatile compared to holding them in other tokens. According to the security alerts, the funds remained in the attacker’s wallet following the swaps.
How the Exploit Worked Inside the Safe Module
Squid provided a technical explanation of the vulnerability. The third-party module accepted a caller-supplied constant string as proof that a message was secure. That string was publicly available in the verified contract code.
If a user passed this string to the module, it enabled the execution of an array of arbitrary calldata. This allowed attackers to trigger transactions that transferred funds out of affected wallets.
The vulnerability had significant implications because the victims had added the faulty contract as a trusted Safe Module within their Gnosis Safe setup. When a module is granted trusted status in a Safe, it can spend tokens from the wallet without requiring additional signatures. According to Squid, this permission model allowed the attacker to move funds without further authorization once the exploit was executed.
The combination of a publicly accessible verification string and broad spending permissions enabled the attacker to drain assets at will from Safes that had integrated the compromised module.
Squid Confirms Its Router Contract Was Not Affected
In response to the incident, Squid stated on X that none of its users were affected. The team emphasized that the exploited contract “shares our name but is not our code.” It also clarified that its actual router contract operates under a different design and remains secure.
Squid identified its legitimate router contract address as 0xce16F69375520ab01377ce7B88f5BA8C48F8D666. According to the team, existing user balances, token approvals, and platform integrations tied to its official router were not impacted by the exploit.
The clarification aimed to separate the protocol’s infrastructure from the third-party module that integrated with it. The naming similarity on Basescan had initially led to reports that referenced SquidRouter, prompting the company to issue a public statement distinguishing its own contract from the compromised one.
Incident Occurs Amid Elevated Exploit Activity in May 2026
The SquidRouterModule exploit is one of more than 20 crypto-related exploits tracked in May 2026, according to data from DefiLlama. The frequency of incidents during the month underscores continued security risks associated with smart contract integrations and third-party modules.
For users interacting with decentralized applications, the case highlights the technical implications of granting smart contracts trusted module permissions within wallet frameworks such as Gnosis Safe. When a module is approved with broad authority, vulnerabilities in that module can directly affect wallet balances.
The incident also demonstrates how contract naming and on-chain verification labels can influence early reporting, particularly when third-party tools include brand references that may suggest direct protocol involvement.
Our Assessment
Based on the available information, the exploit resulted in approximately $3.2 million in losses from 86 Gnosis Safe accounts due to a vulnerability in a third-party module named SquidRouterModule. Security firms traced the attacker’s funding source and subsequent conversion of assets into Dai. Squid’s official router contract and user balances were not affected, and the company stated it had no involvement in developing or deploying the compromised module. The event forms part of a broader pattern of crypto exploits recorded in May 2026.
