{"id":29589,"date":"2026-05-25T20:52:25","date_gmt":"2026-05-25T20:52:25","guid":{"rendered":"https:\/\/bitunikey.com\/news\/blockaid-flags-3m-squidroutermodule-exploit-across-86-safes\/"},"modified":"2026-05-25T20:52:35","modified_gmt":"2026-05-25T20:52:35","slug":"blockaid-flags-3m-squidroutermodule-exploit-across-86-safes","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/blockaid-flags-3m-squidroutermodule-exploit-across-86-safes\/","title":{"rendered":"Blockaid flags $3M SquidRouterModule exploit across 86 Safes"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p><strong>Blockaid said it detected an active exploit targeting the SquidRouterModule on Ethereum and Base, with 86 Gnosis Safes drained for about $3 million in roughly two hours.<\/strong><\/p>\n<div id=\"cn-block-summary-block_3230488f68cb4bcb2e0c875d144e30b5\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Blockaid said 86 Gnosis Safes were drained for about $3 million within roughly two hours.<\/li>\n<li>The attacker swapped stolen assets into DAI through attacker-controlled Uniswap V3 pools, Blockaid said.<\/li>\n<li>Related crypto.news coverage shows May has brought repeated DeFi exploits across wallets, bridges, and stablecoins.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>The blockchain security firm said the stolen tokens were swapped into DAI through attacker-controlled Uniswap V3 pools. The alert listed an exploiter address, a consolidation wallet, and one example drain transaction.<\/p>\n<p>According to Blockaid\u2019s X thread, the exploit targeted Gnosis Safes linked to the SquidRouterModule. The firm said the attack moved quickly, draining dozens of Safes before the stolen assets were converted.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.<\/p>\n<p>86 Gnosis Safes drained for ~$3M in ~2 hours. <br \/>All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.<br \/>More details in \ud83e\uddf5<\/p>\n<p>\u2014 Blockaid (@blockaid_) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/blockaid_\/status\/2058875782810726556?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 25, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>The alert <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.co\/9yXiytAzDN\" target=\"_blank\" rel=\"nofollow\">identified<\/a> the exploiter address as 0x9bdc730183821b6bb2b51be30b77c964fa645b91. Etherscan data shows that address was funded by Tornado Cash and recorded 52 transactions, with activity listed on May 25.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>Blockaid also pointed to a consolidation wallet holding the proceeds. Etherscan data for that wallet <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0xa447f71782135ab96a71374271a749ff7aa54859\" target=\"_blank\" rel=\"nofollow\">showed<\/a> about 3.07 million DAI, worth roughly $3.07 million, alongside a small ETH balance.<\/p>\n<figure class=\"wp-block-image size-large\"><figcaption class=\"wp-element-caption\">Source: Etherscan<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\"><strong>Stolen tokens move through Uniswap V3<\/strong><\/h2>\n<p>The example transaction <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.co\/RaL8OaTHB9\" target=\"_blank\" rel=\"nofollow\">shared<\/a> by Blockaid succeeded at 06:25:23 UTC on May 25. Etherscan shows the transaction came from the exploiter address and interacted with another address tied to the reported flow.<\/p>\n<p>The same transaction page shows swaps involving USDC, ENA, and USDT through Uniswap V3 pools. These details match Blockaid\u2019s claim that stolen assets were routed through decentralized exchange pools before being consolidated.<\/p>\n<p>In response, Squid later said the incident was unrelated to its core protocol and contracts. The team said all Squid users and integrators were unaffected and no action was needed. According to Squid, the exploited contract was a third-party Gnosis Safe module verified on Basescan as \u201cSquidRouterModule,\u201d but it was not built, deployed, or operated by Squid.<\/p>\n<p>Squid said the exploit came from a faulty third-party smart-wallet module that victims had added as a trusted Safe Module. The team added that its official router contract was architecturally different and was not touched.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">This incident is unrelated to Squid\u2019s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.<\/p>\n<p>A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable\u2026 <a rel=\"nofollow\" target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/t.co\/I3gGmdBvE9\">https:\/\/t.co\/I3gGmdBvE9<\/a><\/p>\n<p>\u2014 squid (@squidrouter) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/squidrouter\/status\/2058890710611276238?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">May 25, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>May exploit wave keeps security teams active<\/strong><\/h2>\n<p>The SquidRouterModule incident comes during an active month for onchain security teams. Crypto.news reported one day earlier that StablR\u2019s EURR and USDR stablecoins lost their pegs after a suspected private key compromise let an attacker take control of minting permissions and extract about $2.8 million.<\/p>\n<p>That report said Blockaid traced the StablR incident to a compromised multisig owner. The attacker reportedly minted 12.85 million tokens and converted thin DEX liquidity into 1,115 ETH in proceeds.<\/p>\n<p>Crypto.news also reported earlier in May that Blockaid flagged an active smart contract exploit involving ShapeShift\u2019s FOX Colony on Arbitrum. That incident drained $132,700 at first, before a related exploit pushed total losses to about $182,700.<\/p>\n<h2 class=\"wp-block-heading\"><strong>DeFi infrastructure risks remain in focus<\/strong><\/h2>\n<p>Recent exploit coverage shows attackers keep targeting weak points around smart contracts, proxies, bridges, wallets, and key management. Crypto.news reported in April that DefiLlama had logged 518 crypto hacks over 10 years, with total losses above $17 billion.<\/p>\n<p>The same report said recent incidents show attackers increasingly target private keys, signing systems, bridges, and wallets, not only smart contract code. That pattern makes module permissions and Safe integrations an important area for teams to review.<\/p>\n<p>Crypto.news also reported that TrustedVolumes lost roughly $6.7 million in an exploit tied to a custom RFQ swap proxy. Blockaid and other firms said about $5.87 million was drained from the protocol\u2019s Ethereum resolver.<\/p>\n<p>The latest SquidRouterModule alert adds another case where connected DeFi infrastructure became the attack surface.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Blockaid said it detected an active exploit targeting the SquidRouterModule on Ethereum and Base, with 86 Gnosis Safes drained for about $3 million in roughly two hours. Summary Blockaid said&hellip;<\/p>\n","protected":false},"author":1,"featured_media":28639,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=29589"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29589\/revisions"}],"predecessor-version":[{"id":29590,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/29589\/revisions\/29590"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/28639"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=29589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=29589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=29589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}