Squid Distances Itself From $3.2M Third-Party Module Hack

Table of Contents A third-party module exploit drained about $3.2 million from 86 Gnosis Safe wallets across Ethereum and Base. Squid clarified it had no role in the vulnerable contract and distanced itself from the incident. Security firms Blockaid and PeckShield confirmed the attack unfolded within roughly two hours. The compromised contract appeared on Basescan under the name SquidRouterModule. However, Squid stated the module was unrelated to its core infrastructure. Squid co-founder Fig addressed the issue in a public post on X. He said, “The contract called SquidRouterModule is unrelated to Squid.” The project explained that its core router remained separate and unaffected. It added that the team had no knowledge of who deployed the contract. The official Squid account also corrected early reports linking the exploit to its system. It stated that the module only shared the name and had no direct connection. The team emphasized that the product was built by a third party. It said the module integrated with several protocols without prior coordination. Squid confirmed it had no contact with the developers behind the contract. The project maintained that its systems remained secure throughout the event. According to investigators, the module accepted a caller-supplied string as proof of message security. This flaw allowed attackers to bypass signature verification. Once validated, attackers executed arbitrary calldata from affected Safes. This enabled unauthorized transfers of tokens without owner approval. Blockaid reported that the attacker used Foundry-based exploit contracts. These contracts impersonated authorized delegates through the module’s DelegateBundler function. The attacker routed stolen assets through Uniswap V3 pools. They swapped tokens into a worthless asset labeled “u.” After swaps, the attacker removed liquidity from those pools. They then consolidated the funds into about $3.07 million in DAI. PeckShield confirmed the funds now sit in a wallet starting with “0xa447…54859.” The firm also traced initial funding of 2.1 ETH to Tornado Cash. This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… https://t.co/I3gGmdBvE9 — squid (@squidrouter) May 25, 2026 The incident adds to growing crypto losses in 2026. DeFi platforms have recorded over $770 million in total losses this year. April alone saw around 30 separate incidents. These events resulted in more than $630 million drained from various protocols. Squid recently raised $6 million in a funding round led by North Island Ventures. Ripple, Dialectic, and Borderless also participated. The project stated it has completed nine independent audits. It also reported 99.99% uptime with no prior exploit incidents.