An active exploit targeting SquidRouterModule has drained 86 Gnosis Safes across Ethereum and Base, with losses estimated at about $3 million in roughly two hours.
The attack centers on Safe smart accounts that appear to have been exposed through module-level execution rather than a confirmed failure in the core Safe contract itself. That distinction keeps the immediate focus on enabled modules, transaction permissions and routing logic, not on ordinary multisig ownership thresholds.
Safe modules are powerful smart contract extensions that can automate or customize wallet activity, including DeFi interactions and recurring transactions. That same flexibility creates risk when a module has enough authority to execute asset movements from a Safe. The current drain shows how quickly that risk can move from account configuration to live fund loss when many wallets share the same vulnerable path.
The incident lands in a broader run of crypto wallet and protocol drains, including recent Ethereum wallet-drain alerts where users were left with little time to react once funds began moving onchain.
Stolen Assets Were Converted Into DAI
The stolen tokens were swapped into DAI through attacker-controlled Uniswap V3 pools, concentrating the proceeds into a widely used stablecoin while the exploit was still active.
That routing choice is important because attacker-controlled pools can shape the swap path and liquidity conditions used during the conversion. Uniswap V3 pools rely on concentrated liquidity, where liquidity providers place capital inside defined price ranges, making pool structure and depth especially relevant when abnormal swaps hit thin or custom markets.
DAI also keeps the incident tied to the stablecoin side of DeFi risk. Recent exploit coverage has already shown how quickly onchain incidents can spill into stablecoin liquidity and peg confidence, including the Blockaid-flagged StablR Euro exploit that pushed EURR and USDR away from their intended values on Ethereum DEX markets.
Module Permissions Move Into Focus
The useful checks now are concrete: affected teams need to review whether SquidRouterModule is enabled, inspect recent module executions, check approvals and asset movements on Ethereum and Base, and monitor addresses that received DAI from the swap path.
The public alert does not yet include a final root cause, a confirmed recovery path, or a complete list of affected Safe addresses. Until a fuller technical breakdown is available, the safest operating assumption for Safe users is that module permissions deserve the same urgency as token approvals, signer security and front-end phishing checks.
The speed of the drain is the main warning. In another Blockaid-tracked case, Aftermath paused its protocol after about $1.1 million USDC was drained in 36 minutes on Sui. The SquidRouterModule incident appears larger and broader, with 86 Safes hit across two networks before the first public details settled.
For teams using Safe accounts, the next verifiable updates will be the affected module address, exploited call path, attacker addresses, DAI destination wallets, any recovery contacts, and whether Safe, Squid, or security firms publish mitigation instructions for Ethereum and Base users.
Be the first to comment