Squid rushes to separate brand from $3 million Gnosis Safe module exploit

Squid has moved quickly to stress that a recent $3 million exploit targeted a third party Gnosis Safe module called SquidRouterModule, not its core cross chain routing contracts, after 86 wallets on Ethereum and Base were drained in under two hours.

According to on chain security firm Blockaid, the attack centered on a Gnosis Safe module named SquidRouterModule deployed on Ethereum and Base, which was used by some multisig owners to route cross chain transactions involving Squid and other protocols.

Blockaid reported that over roughly two hours the attacker siphoned funds from 86 Gnosis Safe wallets, with total losses of about $3 million to $3.2 million, before consolidating the proceeds into a single address holding just over 3.07 million DAI.

In a detailed summary, KuCoin’s news desk cites Blockaid and Squid as saying the stolen tokens were swapped into DAI via a custom Uniswap V3 pool set up by the attacker, who then aggregated the drained funds into one wallet to simplify laundering.

The core bug sat inside the SquidRouterModule’s “message security” logic: Binance Square coverage explains that the module simply accepted a constant string provided by the caller as proof that a message was valid, which meant anyone who could see the contract code could copy the string and pass arbitrary call data.

CoinNess reports that the attacker exploited this public fixed string verification to execute arbitrary calls from the affected Safes, effectively granting themselves permission to move assets out of the multisigs without owner confirmation.

How did the SquidRouterModule exploit drain 86 Gnosis Safes?

Binance’s incident note describes it bluntly, saying the design “accepted a fixed string provided by the caller for message security,” a pattern that eliminated any real authentication and opened a direct path for draining funds from integrated wallets.

This is a known class of risk for Gnosis Safe modules, as earlier research by OpenZeppelin showed that any attached module can execute transactions from a wallet without owner approval if its internal checks are weak or misconfigured.

In this case, the unsafe module was branded with the Squid name but was developed and deployed by a third party integrator, not by the Squid team or its core protocol maintainers.

Why is Squid distancing its core router from the hack?

In an official X post, Squid stated that “this incident is unrelated to Squid’s core protocol and contracts,” and emphasized that its main routing contract, identified on chain as 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, “was not involved in any of the malicious transactions.”

KuCoin’s write up notes that Squid clarified the SquidRouterModule “was neither developed, deployed, nor operated by them; the name was independently chosen by a third party when integrating with Squid,” and that it sits completely outside the architecture of the core router.

The team further stressed that users’ funds, existing approvals and protocol level integrations remain secure, and that “Squid’s core cross chain routing remains unaffected,” while it continues to monitor the situation and coordinate with security firms.

Despite this, the optics are bad: as the KuCoin piece points out, headlines inevitably pair “Squid” with “hack,” even though the blast radius is limited to a sloppy Safe module whose only real connection to the project is the branding and its use of Squid as one of several integrated routers.

Security researchers have long warned that Gnosis Safe’s power comes with a caveat that any module plugged into a Safe can execute transactions without owner confirmations if its logic is flawed, which is exactly what happened here once the fixed string check was bypassed.

For the broader cross chain and wallet extension ecosystem, the SquidRouterModule incident is another concrete example of how composability plus lazy security assumptions in peripheral modules can open attack surfaces completely outside a protocol’s own contracts and audits.

It also underlines a painful reality for infrastructure teams like Squid, which Axelar describes as “a protocol that enables cross chain liquidity routing and swaps through a single SDK”: even when your own contracts are sound, third party wrappers can still drag your brand into exploit headlines if they fail basic security hygiene.