On May 25, 2026, security alerts revealed a major exploit targeting the Base and Ethereum networks, leading to the theft of $3.2 million in crypto assets from 86 different Gnosis Safe wallets in under two hours. The breach was traced to a vulnerability in an “SquidRouterModule” smart contract, which caused major confusion in the community because of its similarity to the official Squid Router network.
Details of the breach and hacker’s method
Leading blockchain security firms PeckShield and Blockaid were quick to identify the attack. According to PeckShield’s report, the hacker first obtained 2.1 ETH through TornadoCash, then swiftly converted the stolen assets into nearly 3 million DAI tokens via Uniswap V3 pools. The wallet address used in the exploit was also made public.
PeckShield reported that the attacker exploited a vulnerability in the SquidRouterModule to convert about $3 million worth of assets to DAI, storing the stolen funds in a wallet starting with 0xA447.
Blockaid’s analysis highlighted that 86 Gnosis Safe wallets became compromised in a very short span. The affected users had previously granted extended permissions to the contract, meaning no signatures were required for transfers, allowing the exploit to succeed rapidly.
SquidRouterModule flaw and technical background
The root of the incident lay in a Gnosis Safe module created by a third-party developer. The “SquidRouterModule” smart contract, which was verified on Basescan, accepted an immutable string submitted by the caller as a supposed security proof.
Mini glossary: Gnosis Safe – A popular crypto wallet solution known for its multisig (multiple signature) feature, providing extra security for users’ funds. Authorized modules are plugins that can bypass the normal signature requirements.
As this string was visible in open-source code, attackers could easily bypass security checks. Since victims had already whitelisted this module as a “trusted Safe module,” hackers were able to drain any amount of assets from their Gnosis Safe wallets. The architecture of the official Squid Router contract, which was also mentioned, is entirely different and was unaffected by the breach.
Squid Router clarifies: No connection to the attack
Following confusion in the aftermath, the official Squid Router social media account issued a swift statement. They clarified that the module targeted in the attack was neither developed, deployed, nor maintained by the Squid team. The problematic module belonged to an unrelated third-party wallet provider aiming for integration with Squid and other projects.
The announcement emphatically stated that the core Squid protocol and its associated contracts are not impacted by the vulnerability. It also reassured users that neither Squid users nor its connected services are at risk. The company stressed the need to correctly attribute such vulnerabilities to their actual sources, to avoid confusion due to similar names.
Binance founder issues critical security alert to developers
With software supply chain vulnerabilities on the rise in the crypto space, Binance founder Changpeng Zhao (CZ) issued a crucial warning to developers following a new security breach. After a data leak on Github, CZ emphasized the importance of reviewing and rotating API keys for both users and developers.
CZ highlighted that API keys embedded in code for trading bots, decentralized finance apps, and analytics platforms—even when stored privately—can pose a risk if leaked. He urged developers to regularly review and refresh such keys, regardless of whether they are kept in private repositories.
