A sophisticated exploit targeting a third-party module on Gnosis Safe wallets has resulted in the loss of approximately $3.2 million across 86 multisig wallets in just two hours, raising serious concerns about the security of composable smart contract architectures in decentralized finance.
Key Takeaways
- $3.2 million stolen from 86 Gnosis Safe wallets via a fake SquidRouterModule.
- Vulnerability: module did not properly validate caller identity, allowing unauthorized transactions.
- Squid protocol distanced itself, confirming the module was a third-party deployment.
- Exploit completed in two hours, with funds consolidated into DAI.
How the Exploit Worked
The attack exploited a fundamental flaw in the SquidRouterModule’s message validation logic. The module used a fixed string for security, which was publicly visible on block explorers, allowing the attacker to impersonate authorized users by injecting caller-supplied strings.
| Stage | Action | Impact |
|---|---|---|
| 1 | Identified hard-coded security string in contract code | Exposed vulnerability |
| 2 | Deployed exploit contracts to call module’s DelegateBundler | Gained unauthorized access |
| 3 | Drained 86 wallets and swapped assets to DAI via controlled Uniswap V3 pools | $3.2 million stolen |
« The module didn’t properly check who was actually calling it, » explained a security researcher from Blockaid. « The attacker injected caller-supplied strings to impersonate authorized users, effectively tricking the module into executing transactions without the wallet owners’ consent. »
Security Researcher, Blockaid
Brand Confusion and Squid’s Response
Squid, the cross-chain routing protocol, quickly distanced itself from the exploited module, stating it was a third-party deployment unrelated to its core contracts. The protocol emphasized that its main router contract was not involved.
« This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. »
Squid Official Statement
What This Means for Gnosis Safe Users
The exploit highlights risks in Gnosis Safe’s modular architecture, where flawed modules can bypass multisig security if validation logic is inadequate. Users must exercise caution when enabling third-party modules.
Security Recommendations
- Immediately revoke permissions for the SquidRouterModule on affected wallets.
- Only activate modules from trusted, audited sources.
- Regularly review which modules have access to your Gnosis Safe.
The Broader DeFi Security Landscape
DeFi exploits have exceeded $770 million in 2026, with this incident underscoring the need for better verification and rapid response mechanisms. Verification on block explorers does not equate to an audit.
« Verification is not an audit. Verified contracts are simply readable. The SquidRouterModule was verified on Basescan, which means anyone could read its code and discover the hard-coded security string — which is exactly what the attacker did. »
Security Researcher
Lessons for the Industry
Key lessons include the importance of due diligence for module users, the systemic risk of composability, and the need for clearer branding and verification systems to prevent confusion.
Conclusion
The Gnosis Safe exploit serves as a critical reminder that composability in DeFi must be paired with robust security practices. As total value locked grows, the incentives for attackers increase, making proactive measures essential for protecting user funds.
Sources
- Coinacademy.fr
- Crypto Briefing
- crypto.news
- Crypto Briefing
- Blockaid (X), Active exploit alert, May 25, 2026
- PeckShield (X), Attack analysis and fund flow, May 25, 2026
- Squid official statement on X (@squidrouter), May 25, 2026
This article is published for informational and educational purposes only. It does not constitute investment advice. Do your own research (DYOR) before making any decisions.
