$3M Drained from 86 Gnosis Safes in SquidRouterModule Exploit

Nearly $3 million was stolen from 86 Safe wallets after hackers exploited a vulnerable third-party SquidRouterModule linked to the Squid ecosystem. The attack happened within about two hours, with attackers using fake Uniswap V3 swaps to drain user funds. The stolen assets were later converted into more than 3 million DAI.

How the SquidRouterModule Exploit Happened?

Blockchain security firm Blockaid says the attack was possible because affected wallets had previously approved a vulnerable third-party module with broad transaction permissions.

The attacker exploited the module’s executeSameChainActions() function to pretend to be a trusted user and carry out fake Uniswap V3 swaps without needing direct approval from wallet owners.

Before launching the attack, the hacker funded their wallet with 2.1 ETH through Tornado Cash and then carried out automated attacks across both the Ethereum and Base networks.

After draining the funds, the attacker removed liquidity from the pools and converted the stolen assets like USDC & USDT into about 3.07 million DAI, which is still sitting in the attacker’s wallet.

Were Gnosis Safe Wallets Directly Hacked?

No. The core Safe infrastructure itself was not compromised.

According to Squid and blockchain security firms, the issue came from a separate third-party module integrated into some Safe wallets. Users who never added or trusted the vulnerable module were not affected.

According to Squid’s announcement, the vulnerable contract was not built, deployed, or operated by its core team despite sharing a similar name.

The company explained that the exploit worked because the module accepted a publicly known constant string as proof of authorization, allowing attackers to execute arbitrary transactions without valid wallet signatures.

Furthermore, Squid also confirmed its main router contracts and user funds were never affected.

Story Ends Here

Read the Next News