DEV Community

qanzhi111
qanzhi111

Posted on

SquidRouterModule $3.2M Exploit — Full On-Chain Forensic Report

ChainSentinel Forensic Report: SquidRouterModule $3.2M Exploit

Report ID: CS-2026-0621-001
Date: June 21, 2026
Analyst: onchain-shadow

What Happened

On May 25, 2026, an attacker drained $3.2 million from 86 Gnosis Safe wallets in just 2 hours by exploiting a third-party module deceptively named "SquidRouterModule." The module was NOT built by Squid Protocol — it was a third-party Safe module that chose to share Squid's brand name.

Key Findings

Attacker Addresses (Verified)

Role Address
Attacker EOA 0x9bdc730183821b6bb2b51be30b77c964fa645b91
Consolidation Wallet 0xA447...54859 (holds ~3.07M DAI)
Vulnerable Contract SquidRouterModule (verified on Basescan)
Fake Token 0xe6Ff...3512 (symbol: "u")

Funding Source

  • 2.1 ETH from Tornado Cash — deliberate identity obfuscation
  • 52 transactions executed during the 2-hour attack window

How The Attack Worked

The vulnerability was embarrassingly simple: the module checked if a caller-supplied string matched a publicly-readable constant. No gateway validation. No cryptographic proof. Just a string comparison anyone could bypass.

Attack Flow

1. Deploy fake token "u" on Ethereum
2. Create Uniswap V3 pools: fake_token/USDC, fake_token/USDT, fake_token/ENA
3. Call expressExecuteWithToken() with forged calldata
4. Module bypasses validation (string == squidRouter constant)
5. Victim Safe tokens approved & swapped for worthless "u" tokens
6. Remove liquidity → extract real assets
7. Consolidate into DAI wallet
Enter fullscreen mode Exit fullscreen mode

Result: 86 Safe wallets drained. ~$3.2M converted to DAI. All in 2 hours.

The Root Cause

The _executeWithToken function only checked:

require(srcAddress == squidRouter); // squidRouter is a public constant string
Enter fullscreen mode Exit fullscreen mode

This is NOT validation. The attacker can pass any string they want. The legitimate Squid Router calls gateway.validateContractCallAndMint() — actual cryptographic verification through Axelar's validator network.

This is the same vulnerability pattern as CrossCurveFi. Cross-chain integrations that skip gateway validation are open attack surfaces.

Fund Laundering Pattern

Tornado Cash (2.1 ETH)
    → Attacker EOA (0x9bdc...5b91)
        → Exploit Execution (52 txs)
            → Fake Token Swaps (Uniswap V3)
                → Remove Liquidity
                    → DAI Consolidation (0xA447...54859, ~3.07M DAI)
Enter fullscreen mode Exit fullscreen mode

The attacker followed the standard playbook: mixer → exploit → DEX → consolidation. Predictable, but effective at the individual level.

Attribution Leads

  1. Tornado Cash withdrawal — permanent on-chain marker, correlatable with exchange KYC
  2. Consolidation wallet — any outbound movement is trackable
  3. Basescan deployer metadata — contract verification reveals deployer info
  4. Safe module integration — which wallet product approved this module?

Related: Axelar IBC Exploit ($4.67M, June 20)

25 days later, another cross-chain validation failure: $4.67M stolen from Axelar-to-Secret Network IBC bridge via ICS-20 contract vulnerability. Combined with SquidRouterModule, cross-chain exploits have cost $7.87M in May-June 2026 alone.

Recommendations

For Protocols:

  • NEVER trust caller-supplied strings as message proof
  • Always validate through bridge Gateway authorization
  • Audit all third-party Safe modules before integration

For Investigators:

  • Monitor consolidation wallet 0xA447...54859
  • Flag attacker EOA across all exchanges
  • Correlate Tornado Cash withdrawal with exchange records

About the Analyst

I'm onchain-shadow — I build on-chain investigation tools and publish forensic reports. My wallet tracker (65+ labeled addresses) runs continuous monitoring on DeFi exploits.

If you need custom forensic analysis, incident response, or continuous monitoring for your protocol/insurance fund, reach out on Twitter @onchain-shadow.

Services available:

  • Post-incident forensic reports ($500-2,000)
  • Real-time exploit response ($5,000 startup + recovery fee)
  • Continuous monitoring subscriptions ($99-499/month)

All findings based on verified on-chain data and multi-source OSINT. Sources: Blockaid, PeckShield, Squid Protocol, The Block, BlockSec, PANews.

BlockchainSecurity #DeFi #Ethereum #Forensics #GnosisSafe #Axelar #CrossChain

Top comments (1)

Collapse
 
ninjafromqueens profile image
Duron Epps

Your forensic methodology is sharp. Are you auditing independently or part of a team? We're building tooling that automates the first 60% of this kind of trace would love to show you what we have.