Headline: $3M Gnosis Safe exploit tied to third‑party “SquidRouterModule” — Squid says core contracts unaffected
A fast-moving exploit that drained roughly $3–3.2 million from 86 Gnosis Safe wallets on Ethereum and Base has been traced to a third‑party Safe module named SquidRouterModule — a module that used Squid branding but was not developed or deployed by the Squid team, according to on‑chain security firm Blockaid and statements from Squid.
What happened
- Over the course of about two hours the attacker emptied 86 multisigs that had the SquidRouterModule attached, then swapped stolen tokens into DAI using a custom Uniswap V3 pool and consolidated proceeds into a single address holding ~3.07M DAI.
- Blockaid, cited by KuCoin’s news desk, put total losses at roughly $3–3.2M.
- The module was being used by some multisig owners to route cross‑chain transactions involving Squid and other routers.
The root cause (technical)
- The vulnerability lived in the SquidRouterModule’s “message security” logic: the module accepted a constant string supplied by the caller as proof a message was valid.
- Because that verification string was public, anyone could reproduce it and pass arbitrary calldata to the module — effectively allowing the module to execute arbitrary transactions from affected Safes without owner approvals.
- Binance’s incident note and CoinNess summarize the issue bluntly: the fixed‑string check removed meaningful authentication and opened a direct path to drain funds.
Who built it
- Squid says the module was created and deployed by a third‑party integrator who independently chose the “SquidRouterModule” name. The Squid team emphasizes their core routing contract (on chain: 0xce16F69375520ab01377ce7B88f5BA8C48F8D666) was not involved in any malicious transactions.
- In an X post, Squid stated the incident is unrelated to its core protocol and that users and integrators are unaffected, adding that no action is needed.
Broader context and implications
- Security researchers have long warned that Gnosis Safe modules are powerful but risky: any attached module can execute transactions from a Safe if its internal checks are weak or misconfigured — a class of risk OpenZeppelin has highlighted before.
- This incident underlines a recurring problem for composable DeFi ecosystems: even when a protocol’s own contracts are secure, third‑party wrappers or integrations with weak security can expose users and drag a project’s brand into exploit headlines.
- As Axelar put it in coverage cited by the article, infrastructure teams that enable cross‑chain routing can still suffer reputational damage when third‑party components fail basic security hygiene.
Current status
- Squid says it is monitoring the situation and coordinating with security firms. Investigations and on‑chain tracing by Blockaid and others are ongoing; the stolen funds were already consolidated into a single DAI wallet.
Takeaway
- The attack is a warning sign for multisig owners and infrastructure projects: vet third‑party modules, enforce strict module‑level authentication checks, and treat module integrations as first‑class security scopes — not optional extras.
Read more AI-generated news on: undefined/news
