Cross-chain protocol Squid has denied involvement in a smart contract exploit that drained roughly $3m from dozens of Gnosis Safe wallets across Ethereum and Base. It follows public reports linking the incident to a contract named “SquidRouterModule.”
Blockchain security firm Blockaid said on 25 May that it detected an ongoing exploit affecting 86 Gnosis Safes over a roughly two-hour period.
According to Blockaid, the attacker exploited a vulnerability in the executeSameChainActions() function tied to a contract verified as “SquidRouterModule.” This allowed malicious transactions to impersonate authorized delegates and execute arbitrary token swaps from victim wallets.
The stolen assets were allegedly swapped through attacker-controlled Uniswap V3 pools before being consolidated into roughly $3.07m worth of DAI.
Squid says the vulnerable module was not part of its core protocol
In a public response, Squid said the exploit did not affect its core contracts, users, or integrations.
The protocol stated that the vulnerable module was a “third-party smart-wallet product” that integrated with Squid. However, it was not built, deployed, or operated by the company itself.
“The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract,” the company wrote.
Squid also claimed the vulnerable contract accepted a caller-supplied constant string as proof that a message was secure. This allowed attackers to execute arbitrary calldata after the module was added as a trusted Safe module.
Because trusted Safe modules can spend assets without requiring additional signatures, attackers were allegedly able to drain tokens directly from affected wallets.
Exploit highlights growing risks around wallet modules
The incident underscores growing security concerns surrounding third-party wallet modules, delegated execution systems, and composable DeFi integrations.
Attackers increasingly exploit external permissions, middleware infrastructure, and auxiliary modules connected to broader ecosystems. They do this rather than targeting a protocol’s core contracts directly
In this case, the exploit allegedly combined Safe module permissions, delegate execution paths, and manipulated Uniswap liquidity pools to facilitate the theft.
The attack also highlights how naming conventions and integrations can create reputational spillover during exploits. This happens particularly when vulnerable third-party contracts reference larger protocols.
Blockaid said the attacker deployed exploit contracts using Foundry tooling and created attacker-controlled tokens and liquidity pools as part of the exploit flow.
At the time of writing, no indication had emerged suggesting Squid’s main router contract or core user funds were compromised.
Final Summary
- Blockaid said an exploit involving a contract named “SquidRouterModule” drained roughly $3m from 86 Gnosis Safe wallets across Ethereum and Base.
- Squid said the vulnerable module was a third-party integration unrelated to its core protocol or router contracts.
