A malicious third-party module posing as a Squid tool drained about $3.2 million from 86 Gnosis Safe wallets on Ethereum and Base in roughly two hours, according to security firms Blockaid and PeckShield. The contract, labeled “SquidRouterModule” and verified on Basescan, was not built, deployed, or managed by the cross-chain protocol Squid.
Flaw in signature verification enabled unauthorized transfers
The exploit stemmed from a faulty verification mechanism in the module that treated a constant, publicly known string as valid proof. This allowed the attacker to:
- execute transactions without the usual multi-signature approvals
- move tokens and perform swaps as if they were an authorized delegate
Using Foundry-based contracts, the attacker impersonated authorized delegates and routed arbitrary swaps through Uniswap V3 liquidity pools.
Stolen funds moved into DAI after using obscure token
PeckShield traced the stolen assets through several steps:
- first converted into an obscure token labeled “u”
- then swapped into around 3.07 million DAI
- the DAI is currently held in a wallet beginning with “0xa447...54859”
PeckShield also reported that the attack was initially funded with 2.1 ETH sourced from Tornado Cash.
Squid: core router unaffected, no link to compromised module
The Squid development team stated that:
- the exploited “SquidRouterModule” is entirely unrelated to Squid’s own infrastructure
- Squid did not build, deploy, or manage the contract
- Squid’s core router and operations remain unaffected
The team emphasized that the module only reused the Squid name and had no communication or operational link with the project.
Risk extends beyond core contracts to third-party modules
The incident underscores a key structural risk in defi security:
- the underlying Gnosis Safe multi-sig product was not directly breached
- losses occurred because a third-party module was given extensive control over funds
- branding and naming can create a misleading sense of safety when modules are not officially affiliated
Even multi-signature setups, typically viewed as more secure, can be compromised if they grant permissions to poorly designed or unaudited extensions.
Call for stricter permission and module checks
Security specialists say the episode highlights the need for stronger permission management and scrutiny of add-on tools. Recommended practices include:
- confirming that any module is not only audited but also officially endorsed and maintained by the project it references
- avoiding reliance on name recognition alone when enabling contract permissions
- regularly reviewing and revoking approvals for connected applications to limit damage if a module is later compromised
This kind of “permission hygiene” can reduce the attack surface created by dormant, high-privilege approvals.
Exploit adds to mounting defi losses in 2026
The Gnosis Safe incident comes amid rising losses across decentralized finance:
- total defi exploits in 2026 have already exceeded $840 million in the first five months
- april alone saw more than $600 million drained across roughly 30 incidents
- major april attacks included those on KelpDAO and Drift Protocol, which together lost over $570 million
Security researchers note a gradual shift in attack patterns, with more focus on governance weaknesses, integrations, and third-party modules rather than only on core protocol code.
Squid’s funding and security record under scrutiny
The attack also puts fresh attention on Squid’s brand, despite its lack of involvement in the exploit:
- earlier this year, Squid raised $6 million in a strategic round led by North Island Ventures, with participation from Ripple, Dialectic, and Borderless
- the project says it has undergone nine independent audits
- co-founder Fig has reported 99.99% uptime and no prior breaches of Squid’s own infrastructure
The misuse of Squid’s name in the rogue module illustrates how branding and perceived reputation can be weaponized by unrelated third parties, creating new risks for traders who rely on familiar names when connecting their wallets.
Worried about wallet hacks like this? Learn key protection steps in crypto safety fundamentals to secure your assets.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
