Security monitoring platforms have reported a significant exploit targeting the SquidRouterModule on the Ethereum and Base networks. On May 25, 2026, blockchain security firm Blockaid identified a series of unauthorized transactions that led to the depletion of 86 Gnosis Safe wallets. Within a two-hour window, the attacker managed to exfiltrate digital assets valued at approximately $2 million, highlighting ongoing vulnerabilities within cross-chain routing infrastructure and multisig wallet interactions.
Mechanism of the Attack and Asset Movement
The breach focused on the interaction between the SquidRouterModule and individual Gnosis Safe deployments. According to technical data, the perpetrator executed a rapid sequence of drains, targeting liquidity across two major ecosystems. The stolen funds were not kept in their original form but were immediately processed through decentralized finance (DeFi) protocols to obscure the trail and stabilize the value of the haul.
- The attacker utilized a Uniswap V3 liquidity pool specifically controlled by their own address.
- All stolen tokens were swapped into the stablecoin DAI to prevent price volatility or potential asset freezing by centralized issuers.
- The illicitly obtained funds were consolidated into a single primary wallet address.
The use of controlled liquidity pools is a common tactic among sophisticated actors to ensure they can swap large volumes of illiquid or stolen tokens without alerting traditional slippage monitors.
Current Status of Stolen Funds
As of the latest on-chain analysis, the attacker’s primary consolidation address holds approximately 2.07 million DAI. Security experts are currently monitoring this address for any movement toward mixers or centralized exchanges. The impact on the Ethereum and Base ecosystems has prompted a temporary pause or warning for users interacting with affected router contracts.
SquidRouterModule is under continuous attack. Within approximately two hours, 86 Gnosis Safe wallets have been emptied, resulting in losses of about $2 million.
The incident underscores the persistent risks associated with smart contract permissions. Users who have previously interacted with the SquidRouterModule are advised to review their contract approvals and consider revoking permissions for the compromised router to prevent further unauthorized access to their funds.
In conclusion, the exploit of the SquidRouterModule serves as a stark reminder of the security challenges facing cross-chain interoperability tools. As the total loss stabilizes at over $2 million in DAI, the focus shifts to the Squid protocol team and security auditors to identify the specific code vulnerability that allowed the drainage of protected Gnosis Safe wallets. Investors and DeFi participants are urged to maintain rigorous security protocols, including the frequent auditing of third-party contract allowances.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.