On May 26, 2026, blockchain security firm Blockaid detected a sustained attack targeting the SquidRouterModule contract. Within approximately 2 hours, the attacker stole $3.2 million in cryptocurrency assets from 86 Gnosis Safe wallets.
After converting funds through attacker-controlled Uniswap V3 pools to DAI, all assets were consolidated and transferred to a single wallet address. PeckShield confirmed that the attacker initially received 2.1 ETH from Tornado Cash as startup capital.
Attacker Wallet: 0xA447...54859
🔍 Attack Methodology
Attack Flow
-
Vulnerability Identification: The attacker discovered a design flaw in the
executeSameChainActions()function of the SquidRouterModule contract - Authorization Acquisition: Victim Safe wallets added the malicious contract as a "Trusted Safe Module"
- Permission Abuse: This module can control arbitrary tokens in the Safe wallet without signatures
- Exchange Laundering: Stolen tokens were swapped via Uniswap V3 to nearly worthless malicious token "u"
- Fund Aggregation: All valuable assets were ultimately converted to DAI and aggregated to the attacker's wallet
Core Vulnerability
According to Squid's official statement:
"The root cause of the vulnerability was that a third-party module erroneously assumed that a publicly visible constant string was sufficient to represent 'safe'. If you pass this string (which is publicly available), you can execute arbitrary call data and steal funds arbitrarily."
Victim Behavior
Victim Safe wallets added SquidRouterModule as a "Trusted Safe Module". This authorization was intended to allow the contract to perform certain operations on behalf of the Safe, but the design flaw made it exploitable.
📊 Fund Flow Analysis
| Step | Asset | Status |
|---|---|---|
| Victim Safe | Various ERC-20 tokens | Stolen |
| Transit | Malicious token "u" | Worthless |
| Aggregation | ~$3.07M DAI | Attacker controlled |
| Initial Funds | 2.1 ETH (Tornado Cash) | Attacker source |
According to Global Ledger analysis, approximately $5.86M remains scattered across unused wallets.
⚠️ Not a Squid Protocol Incident
⚠️ This is NOT a Squid protocol security incident
"This is a third-party SquidRouterModule being exploited, not our protocol's Router contract."
"The affected contract used our name but is not our code."
Safe Labs CEO Rahul Rumalla stated that affected accounts were not operated through the official Safe Wallet product, and this malicious module had previously been flagged by Blockaid.
🛡️ Key Takeaways
Risks of "Third-Party Modules"
This attack reveals systemic risks of "third-party dependencies" in DeFi:
- Naming Confusion: Malicious contracts use names of legitimate projects
- Trust Transference: Users trust Safe wallets, but modules trusted by Safe may not be trustworthy
- Responsibility Vacuum: When third-party modules are exploited, liability attribution is unclear
Gnosis Safe's "Trusted Module" Mechanism
The "Trusted Safe Module" mechanism allows authorized contracts to execute operations on behalf of the wallet — but also brings risks:
- Module gains full control once authorized
- Consequences are severe if abused
- Users find it difficult to assess module security
Protection Recommendations
- Module Authorization Caution: Carefully review any third-party Safe modules
- Verify Contract Source: Ensure modules come from trusted developers
- Check Module Permissions: Understand what the module can do once authorized
- Use Safe Shield: Enable protection services provided by security vendors
🔗 Protect Your Assets with ChainSentinel
Real-time on-chain threat detection and risk assessment for DeFi protocols and wallets.
ChainSentinel — On-chain security intelligence, automated.
Top comments (0)