A third-party Gnosis Safe module was exploited across Ethereum and Base, draining approximately $3.2 million from 86 Safes in roughly two hours, security firms Blockaid and PeckShield reported.
The vulnerable contract, verified on Basescan under the name "SquidRouterModule," was not built, deployed, or operated by the cross-chain protocol Squid.
"The contract called SquidRouterModule is unrelated to Squid. We don't know yet who wrote or deployed this," pseudonymous Squid co-founder Fig wrote on X. Its core router was architecturally separate and untouched, the project’s official X page added.
The exploit worked because the module accepted a caller-supplied constant string as proof that a message was secure.
Passing that string allowed an attacker to execute arbitrary calldata and spend any tokens held in the victim's Safes without signatures, according to Squid.
The attacker deployed Foundry-based exploit contracts that called the module's DelegateBundler path, impersonating authorized delegates on each Safe and triggering arbitrary swaps through Uniswap V3 pools, Blockaid wrote.
Target assets were swapped through attacker-seeded Uniswap V3 pools into a worthless attacker-created token called "u." The attacker then removed liquidity from the pools and consolidated the proceeds into roughly 3.07 million DAI, now held in a wallet beginning "0xa447...54859," according to PeckShield.
The exploiter's initial funding of 2.1 ETH came from Tornado Cash, PeckShield added.
Squid said early public reporting referencing "SquidRouter" was technically inaccurate. The contract shares the Squid name but is a third-party product that chose to integrate with Squid among other protocols and had no contact with the team, the project wrote.
DeFi has logged more than $770 million in losses in 2026, with April alone setting a record of roughly 30 incidents and more than $630 million drained, The Block's data dashboard shows.
Expand Chart
Squid recently announced it had raised $6 million in a strategic funding round led by North Island Ventures, with Ripple, Dialectic, and Borderless also participating.
Cross-chain interoperability has long been one of the most difficult areas in crypto, with the sector experiencing multiple bridge exploits and security incidents over the years. Squid's Fig told The Block last week that the project has completed nine independent security audits to date, recorded no exploits, and maintained 99.99% uptime.
Asked at the time whether Squid is looking to serve projects reassessing their cross-chain infrastructure following issues elsewhere in the market, Fig said the platform is open to conversations with teams seeking secure connectivity.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
