Overview
- Security firm Blockaid and others reported that attackers drained 86 Gnosis Safe wallets on Ethereum and Base for roughly $3 million to $3.2 million in about two hours on May 25.
- Investigators say the module accepted a fixed caller-supplied validation string and let attackers impersonate delegates through the module’s DelegateBundler function, enabling arbitrary calls from affected Safes.
- The attacker used Foundry-based exploit contracts, routed stolen USDC, ENA and USDT through attacker-controlled Uniswap V3 pools, removed liquidity, and consolidated about 3.07 million DAI in a single wallet after initial funding from Tornado Cash.
- Squid has publicly denied developing or operating the SquidRouterModule and says its core router contracts were not involved, while researchers note the contract’s public verification gave a false sense of security.
- Security teams advise any Safe owners who enabled the SquidRouterModule to revoke its permissions immediately and to audit third-party modules because Gnosis Safe modules can execute transactions without owner confirmation if their checks are weak.