A flaw in something called the SquidRouterModule allowed an attacker to siphon roughly $3.2 million from 86 Gnosis Safe wallets spread across Ethereum and Base. The entire heist took about two hours.
Blockchain security firm Blockaid identified the breach on May 25. The stolen funds were quickly swapped into DAI through Uniswap V3 pools the attacker had opened, consolidating approximately $3.07 million into a single wallet.
Here’s the thing: the exploited module wasn’t even part of the core Squid protocol. It was a third-party add-on, which makes the whole situation both less surprising and more alarming.
How the exploit worked
The problem, according to both Blockaid and PeckShield, was improper identity validation within the module. The module didn’t properly check who was actually calling it. The attacker injected caller-supplied strings to impersonate authorized users, effectively tricking the module into executing transactions without the wallet owners’ consent.
