{"id":29545,"date":"2026-05-25T16:37:56","date_gmt":"2026-05-25T16:37:56","guid":{"rendered":"https:\/\/bitunikey.com\/news\/squid-rushes-to-separate-brand-from-3-million-gnosis-safe-module-exploit\/"},"modified":"2026-05-25T16:38:09","modified_gmt":"2026-05-25T16:38:09","slug":"squid-rushes-to-separate-brand-from-3-million-gnosis-safe-module-exploit","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/squid-rushes-to-separate-brand-from-3-million-gnosis-safe-module-exploit\/","title":{"rendered":"Squid rushes to separate brand from $3 million Gnosis Safe module exploit"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>Squid has moved quickly to stress that a recent $3 million exploit targeted a third party Gnosis Safe module called SquidRouterModule, not its core cross chain routing contracts, after 86 wallets on Ethereum and Base were drained in under two hours.<\/p>\n<div id=\"cn-block-summary-block_5b46b250a300c411a43446f76026c149\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Blockaid flagged an active exploit on the SquidRouterModule affecting 86 Gnosis Safes<\/li>\n<li>Around $3 million to $3.2 million was stolen and swapped into DAI via Uniswap<\/li>\n<li>The vulnerability was a fixed string \u201cmessage security\u201d check that attackers reused<\/li>\n<li>Squid says its main 0xce16F router contract and user funds are unaffected<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>According to on chain security firm Blockaid, the attack centered on a Gnosis Safe module named SquidRouterModule deployed on Ethereum and Base, which was used by some multisig owners to route cross chain transactions involving Squid and other protocols.<\/p>\n<p>Blockaid reported that over roughly two hours the attacker siphoned funds from 86 Gnosis Safe wallets, with total losses of about $3 million to $3.2 million, before consolidating the proceeds into a single address holding just over 3.07 million DAI.<\/p>\n<p>In a detailed summary, KuCoin\u2019s news desk cites Blockaid and Squid as saying the stolen tokens were swapped into DAI via a custom Uniswap V3 pool set up by the attacker, who then aggregated the drained funds into one wallet to simplify laundering.<\/p>\n<p>The core bug sat inside the SquidRouterModule\u2019s \u201cmessage security\u201d logic: Binance Square coverage explains that the module simply accepted a constant string provided by the caller as proof that a message was valid, which meant anyone who could see the contract code could copy the string and pass arbitrary call data.<\/p>\n<p>CoinNess reports that the attacker exploited this public fixed string verification to execute arbitrary calls from the affected Safes, effectively granting themselves permission to move assets out of the multisigs without owner confirmation.<\/p>\n<h2 class=\"wp-block-heading\">How did the SquidRouterModule exploit drain 86 Gnosis Safes?<\/h2>\n<p>Binance\u2019s incident note describes it bluntly, saying the design \u201caccepted a fixed string provided by the caller for message security,\u201d a pattern that eliminated any real authentication and opened a direct path for draining funds from integrated wallets.<\/p>\n<p>This is a known class of risk for Gnosis Safe modules, as earlier research by OpenZeppelin showed that any attached module can execute transactions from a wallet without owner approval if its internal checks are weak or misconfigured.<a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.openzeppelin.com\/news\/backdooring-gnosis-safe-multisig-wallets\"><\/a><\/p>\n<p>In this case, the unsafe module was branded with the Squid name but was developed and deployed by a third party integrator, not by the Squid team or its core protocol maintainers.<\/p>\n<h2 class=\"wp-block-heading\" id=\"why-is-squid-distancing-its-core-router-from-the-h\">Why is Squid distancing its core router from the hack?<\/h2>\n<p>In an official X post, Squid stated that \u201cthis incident is unrelated to Squid\u2019s core protocol and contracts,\u201d and emphasized that its main routing contract, identified on chain as 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, \u201cwas not involved in any of the malicious transactions.\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">This incident is unrelated to Squid\u2019s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.<\/p>\n<p>A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/I3gGmdBvE9\">https:\/\/t.co\/I3gGmdBvE9<\/a><\/p>\n<p>\u2014 squid (@squidrouter) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/squidrouter\/status\/2058890710611276238?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 25, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>KuCoin\u2019s write up notes that Squid clarified the SquidRouterModule \u201cwas neither developed, deployed, nor operated by them; the name was independently chosen by a third party when integrating with Squid,\u201d and that it sits completely outside the architecture of the core router.<a rel=\"nofollow\" target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.kucoin.com\/news\/flash\/squid-clarifies-third-party-module-exploit-core-protocol-unaffected\"><\/a><\/p>\n<p>The team further stressed that users\u2019 funds, existing approvals and protocol level integrations remain secure, and that \u201cSquid\u2019s core cross chain routing remains unaffected,\u201d while it continues to monitor the situation and coordinate with security firms.<\/p>\n<p>Despite this, the optics are bad: as the KuCoin piece points out, headlines inevitably pair \u201cSquid\u201d with \u201chack,\u201d even though the blast radius is limited to a sloppy Safe module whose only real connection to the project is the branding and its use of Squid as one of several integrated routers.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>Security researchers have long warned that Gnosis Safe\u2019s power comes with a caveat that any module plugged into a Safe can execute transactions without owner confirmations if its logic is flawed, which is exactly what happened here once the fixed string check was bypassed.<\/p>\n<p>For the broader cross chain and wallet extension ecosystem, the SquidRouterModule incident is another concrete example of how composability plus lazy security assumptions in peripheral modules can open attack surfaces completely outside a protocol\u2019s own contracts and audits.<\/p>\n<p>It also underlines a painful reality for infrastructure teams like Squid, which Axelar describes as \u201ca protocol that enables cross chain liquidity routing and swaps through a single SDK\u201d: even when your own contracts are sound, third party wrappers can still drag your brand into exploit headlines if they fail basic security hygiene.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Squid has moved quickly to stress that a recent $3 million exploit targeted a third party Gnosis Safe module called SquidRouterModule, not its core cross chain routing contracts, after 86&hellip;<\/p>\n","protected":false},"author":1,"featured_media":29546,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=29545"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29545\/revisions"}],"predecessor-version":[{"id":29547,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29545\/revisions\/29547"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/29546"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=29545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=29545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=29545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}