Blockaid flagged a vulnerability in SquidRouterModule that drained approximately $3 million from 86 Gnosis Safe wallets. The attacker swapped the stolen tokens into DAI on both Ethereum and Base, then moved the funds out of the compromised accounts.
The exploit targeted a smart contract module commonly integrated into Gnosis Safe configurations. Gnosis Safe itself – the multi-signature wallet infrastructure – was not breached. The vulnerability lay in how the SquidRouterModule handled certain function calls, allowing an unauthorized actor to execute token transfers from connected wallets.
What makes this incident noteworthy is the scale. Eighty-six wallets suggests a coordinated targeting pattern, not random attacks. The attacker may have identified a common integration across multiple Safe instances and exploited it systematically. The choice to convert stolen assets into DAI on two separate chains indicates sophistication – spreading the illicit proceeds across Ethereum and Base potentially complicates tracing and recovery efforts.
Blockaid's detection came from their transaction monitoring infrastructure, which flagged the unusual wallet drains and cross-chain swaps. The security firm raised the alert without delay, which is standard practice in the DeFi monitoring space. Whether affected users had already lost access to their funds by the time the alert went public remains unclear from the initial report.
The incident underscores a recurring weakness in modular wallet architectures. Users who adopt non-native modules – even from established projects – assume a secondary layer of smart contract risk. The SquidRouterModule was designed to facilitate routing across liquidity pools and bridges, a utility function that required elevated permissions on connected wallets. Those same permissions became the attack surface.
Recovery prospects depend on whether the drained DAI remains traceable on-chain and whether the attacker moved it through mixers or bridges to obscure the trail. Gnosis Safe users should audit their connected modules immediately and revoke permissions from any third-party contracts they do not actively use. The Blockaid alert should prompt affected users to check transaction histories for unauthorized module executions and contact the SquidRouter team for a detailed postmortem and any available remediation steps.
$3M drained from 86 Safes via SquidRouterModule exploit
Blockaid detected a SquidRouterModule exploit that drained approximately $3M from 86 Gnosis Safe wallets, with stolen tokens swapped to DAI across Ethereum and Base networks. This represents a significant smart contract vulnerability affecting a widely-used wallet infrastructure component.