Third-Party SquidRouterModule Drains $3.2M, Not Squid
Squid blamed a third-party Gnosis Safe module, SquidRouterModule, for a $3.2M exploit that emptied 86 Safes across Ethereum and Base; attacker converted assets to DAI.
A third-party Gnosis Safe module called SquidRouterModule was exploited, allowing attackers to steal about $3.2 million by draining 86 Safes on Ethereum and Base over roughly two hours. The attacker converted the stolen tokens to DAI through Uniswap V3 pools they controlled.
Security analysis shows the attacker moved funds into attacker-controlled pools and that wallet 0xA447…54859 held the stolen assets. The exploiter’s account had received 2.1 ETH from Tornado Cash shortly before the theft.
The Squid team posted on X that the compromised contract “shares our name but is not our code.” The post said early reports referenced “SquidRouter” because the contract’s verified name on Basescan caused confusion. Squid pointed to its actual router at 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, which it described as a different design that was not affected; user balances, approvals and platform integrations were reported intact.
Technical details provided by the project show the third-party module accepted a caller-supplied constant string as proof that a message was secure. That string is visible in the verified contract code, and supplying it allowed the module to execute arbitrary calldata and move funds. Victims’ Safes had added the faulty contract as a trusted Safe Module, granting the contract the authority to spend tokens from the Safes without additional signatures.
The module is a third-party smart-wallet product that integrated with multiple protocols and was not developed or deployed by the Squid team. Traces of the funds show they entered attacker-controlled pools before being swapped to DAI.
Security trackers recorded more than 20 exploits in May 2026. The incident involved extended privileges granted to a third-party module in a smart-wallet setup; Gnosis Safe modules can be added to grant such privileges, and security depends on the integrity of any third-party code given those rights.








