Hackers Drain $3 Million From 86 Gnosis Safes in SquidRouterModule Exploit

Hackers stole approximately $3 million from 86 Gnosis Safes on SquidRouterModule.
Only wallets that previously approved a vulnerable third-party module were targeted.
Squid’s main router contracts and user funds were never affected by the exploit.

According to reports from Blockaid, hackers have exploited a vulnerable third-party SquidRouterModule linked to the Squid ecosystem.

In its latest post on X, the enterprise-grade Web3 security platform stated that the attackers drained approximately $3 million in about two hours from 86 Gnosis Safes before swapping the tokens to DAI via Uniswap V3 pools that they control.

🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.
86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵
— Blockaid (@blockaid_) May 25, 2026

What Made the Exploit Possible?

While providing further details on the attack, Blockaid noted that the attack was possible because the affected wallets had previously approved a vulnerable third-party module with broad transaction permissions. This allowed the attacker to pretend to be a trusted user while carrying out fake Uniswap V3 swaps without needing direct approval from wallet owners.

In a thread on X, Blockaid explained that the attackers funded their wallet with 2.1 ETH through Tornado Cash before launching the attack, after which they executed automated attacks on both the Ethereum and Base networks. The Hacker’s next move was to remove liquidity from the pools, converting the stolen assets into around 3.07 DAI, which was sitting in their wallet at the time of Blockaid’s report.

Related: DeFi Insurance Gap Leaves Billions Exposed as Hacks Keep Rising

Gnosis’s Core Infrastructure is Safe

It is worth noting that the reported attack did not affect Gnosis’s core Safe infrastructure. Information from Squid and multiple blockchain security firms reveals that the vulnerability was through a separate third-party module integrated into some Safe wallets. Only users who trusted and interacted with that module in the past were affected by the exploit.

According to Squid’s announcement over the exploit, its core team had no hand in the building, deployment, or operation of the vulnerable contract, despite sharing a similar name. The firm explained that the exploit was possible because the module accepted a publicly known constant string as proof of authorization, allowing hackers to execute arbitrary transactions without valid wallet signatures.

In the meantime, Squid told its community members that it is monitoring the situation and will share updates if anything changes materially. The firm also confirmed that its main router contracts and user funds were never affected by the exploit.

Related: Echo Protocol Hack Drains $816K After Fake eBTC Mint

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.

Source: https://coinedition.com/hackers-drain-3-million-from-86-gnosis-safes-in-squidroutermodule-exploit/