Back

$3.2M Drained from Gnosis Safe Wallets via SquidRouterModule Exploit

Severity: High (Score: 69.0)

Sources: Bitget, Cryptobriefing

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: hours, safe, wallet, module, exploit, drained, wallets

Summary

An attacker exploited a vulnerability in the SquidRouterModule, a third-party add-on, to drain approximately $3.2 million from 86 Gnosis Safe wallets across Ethereum and Base in just two hours. The breach was identified by Blockaid on May 25, 2026, and involved improper identity validation that allowed the attacker to impersonate authorized users. The stolen assets included USDC, ENA, and USDT, which were quickly converted to DAI through Uniswap V3 pools. Squid clarified that the compromised module was not part of their core protocol, distancing themselves from the incident. Users with Gnosis Safe wallets utilizing this module are advised to revoke permissions immediately. The incident highlights ongoing risks associated with third-party modules in decentralized finance (DeFi). Key Points: • An exploit in the SquidRouterModule drained $3.2 million from 86 Gnosis Safe wallets. • The attack was executed through improper identity validation, allowing unauthorized transactions. • Users are urged to revoke permissions for the SquidRouterModule to mitigate risks.

Detailed Analysis

**Impact** 86 Gnosis Safe wallets across Ethereum and Base were drained of approximately $3.2 million in assets, including USDC, ENA, and USDT. The attacker consolidated about $3.07 million into a single wallet after swapping stolen tokens to DAI. The incident affected users of third-party wallet modules rather than official Safe Wallet products, with losses realized within a two-hour window. The geographic scope is global, consistent with decentralized finance (DeFi) platforms. **Technical Details** The attacker exploited improper identity validation in the third-party SquidRouterModule, specifically targeting the executeSameChainActions() function and abusing the DelegateBundler mechanism to impersonate authorized delegates. Funds were laundered through attacker-controlled Uniswap V3 liquidity pools and initially funded via Tornado Cash. The compromised module was verified on Basescan but lacked thorough auditing. The attacker’s wallet address is 0xa447…54859. No CVE identifiers were provided. **Recommended Response** Users should immediately revoke permissions granted to the SquidRouterModule on their Gnosis Safe wallets. Security teams must monitor for transactions involving the identified attacker wallet and Uniswap V3 pools linked to the exploit. Organizations should audit all third-party wallet modules for improper identity validation and restrict broad execution privileges. No patches are currently available; continuous monitoring of wallet module activity is advised.

Source articles (2)

  • $3.2M drained from Gnosis Safe wallets through SquidRouterModule exploit — Cryptobriefing · 2026-05-26
    An attacker exploited improper identity validation in a third-party module to drain 86 wallets across Ethereum and Base in just two hours. A flaw in something called the SquidRouterModule allowed an a…
  • $3.2M Vanishes in 2 Hours as Safe Wallet Module Exploit Drains 86 Crypto Vaults — Bitget · 2026-05-26
    A possible exploit in a third-party wallet module caused a company’s Safe assets to be drained over the past few hours, leading to millions of dollars in losses for all users. A third party wallet app…

Timeline

  • 2026-05-25 — Breach detected by Blockaid: Blockaid identified the exploit targeting the SquidRouterModule, leading to significant fund losses.
  • 2026-05-25 — Funds drained and consolidated: The attacker siphoned $3.2 million from 86 wallets and consolidated the funds into DAI.
  • 2026-05-26 — Incident reported in multiple outlets: Both Cryptobriefing and Bitget published articles detailing the exploit and its implications.

Related entities

  • Supply Chain Attack (Attack Type)
  • Blockaid (Malware)
  • Gnosis (Company)
  • Gnosis Safe (Company)
  • Safe Labs (Company)
  • Base (Company)
  • Ethereum (Company)
  • Squid (Platform)
  • Basescan (Platform)
  • Uniswap V3 (Platform)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Tornado Cash (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed