$3.2M Drained from Gnosis Safe Wallets via SquidRouterModule Exploit

$3.2M Drained from Gnosis Safe Wallets via SquidRouterModule Exploit

First seen 26 May 2026, 19:40 UTC CryptobriefingBitget 78% similarity 69.0

Article Content

Browse articles
ThreatCluster

An attacker exploited a vulnerability in the SquidRouterModule, a third-party add-on, to drain approximately $3.2 million from 86 Gnosis Safe wallets across Ethereum and Base in just two hours. The breach was identified by Blockaid on May 25, 2026, and involved improper identity validation that allowed the attacker to impersonate authorized users. The stolen assets included USDC, ENA, and USDT, which were quickly converted to DAI through Uniswap V3 pools. Squid clarified that the compromised module was not part of their core protocol, distancing themselves from the incident. Users with Gnosis Safe wallets utilizing this module are advised to revoke permissions immediately. The incident highlights ongoing risks associated with third-party modules in decentralized finance (DeFi).

Key Points: • An exploit in the SquidRouterModule drained $3.2 million from 86 Gnosis Safe wallets. • The attack was executed through improper identity validation, allowing unauthorized transactions. • Users are urged to revoke permissions for the SquidRouterModule to mitigate risks.

ThreatCluster AI

Timeline

2026-05-25
Breach detected by Blockaid
Blockaid identified the exploit targeting the SquidRouterModule, leading to significant fund losses.
Cryptobriefing
2026-05-25
Funds drained and consolidated
The attacker siphoned $3.2 million from 86 wallets and consolidated the funds into DAI.
Bitget
2026-05-26
Incident reported in multiple outlets
Both Cryptobriefing and Bitget published articles detailing the exploit and its implications.
Cryptobriefing

Community

Browse all →