Blockaid detected an exploit draining 86 Gnosis Safes via a SquidRouterModule vulnerability. Squid denies core protocol involvement.
Alpha Score of 43 reflects weak overall profile with moderate momentum, weak value, weak quality. Based on 3 of 4 signals – score is capped at 90 until remaining data ingests.
Cross-chain protocol Squid has publicly denied any involvement in a smart contract exploit that drained roughly $3 million from 86 Gnosis Safe wallets across Ethereum and Base. The incident, detected by blockchain security firm Blockaid on 25 May over a roughly two-hour period, has raised questions about third-party module risk in composable DeFi.
Blockaid reported that the attacker exploited a vulnerability in the executeSameChainActions() function tied to a contract verified as "SquidRouterModule". This function allowed malicious transactions to impersonate authorized delegates and execute arbitrary token swaps from victim wallets.
The core of the exploit relied on a design flaw in the third-party module. Squid stated that the vulnerable contract accepted a caller-supplied constant string as proof that a message was secure. This allowed attackers to execute arbitrary calldata after the module was added as a trusted Safe module.
Because trusted Safe modules can spend assets without requiring additional signatures, attackers were able to drain tokens directly from affected wallets. The stolen assets were swapped through attacker-controlled Uniswap V3 pools before being consolidated into roughly $3.07 million worth of DAI.
Squid issued a public statement clarifying that the exploit did not affect its core contracts, users, or integrations. The protocol described the vulnerable module as a "third-party smart-wallet product" that integrated with Squid but was not built, deployed, or operated by the company itself.
The incident highlights how naming conventions and integrations can create reputational spillover during exploits. A module named "SquidRouterModule" naturally draws attention to Squid, even when the core protocol remains uncompromised. This dynamic creates asymmetric risk for protocols that allow third-party developers to build modules using their branding or integration points.
This exploit underscores a broader trend in DeFi security. Attackers increasingly target external permissions, middleware infrastructure, and auxiliary modules connected to broader ecosystems, rather than attacking a protocol's core contracts directly.
Blockaid said the attacker deployed exploit contracts using Foundry tooling and created attacker-controlled tokens and liquidity pools as part of the exploit flow. The full attack chain involved:
executeSameChainActions() function allowed unauthorized token movementFor Gnosis Safe users, the incident is a reminder that adding any third-party module expands the attack surface. A module with delegated execution capabilities can effectively bypass the multi-signature requirement for specific actions. Users should audit which modules they have authorized and review the permissions those modules hold.
The exploit specifically targeted Gnosis Safe wallets that had added the vulnerable SquidRouterModule. At the time of writing, no indication had emerged suggesting Squid's main router contract or core user funds were compromised.
The incident unfolded rapidly on 25 May. Blockaid detected the ongoing exploit and issued a public alert within the two-hour window. Squid responded shortly after with its denial of core protocol involvement.
This incident is not a reason to avoid Squid or Gnosis Safe. It is a reason to treat third-party modules as distinct risk vectors. Every module added to a smart wallet creates a potential execution path that bypasses the wallet's native security model.
Risk to watch: The next exploit in this category will likely target a different middleware provider or module developer. The attack pattern – exploit a named module, drain through manipulated liquidity pools, consolidate into a stablecoin – is now a playbook.
For traders using smart wallets, the practical step is to review authorized modules and revoke any that are not actively needed. For protocols, the lesson is that naming conventions matter. A module named after your protocol can create liability even when your core contracts are clean.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.