Squid disowns $3.2M Gnosis Safe module hack

Attackers exploited a third-party contract named ‘SquidRouterModule’ to drain about $3.2 million from 86 Gnosis Safe accounts on Ethereum and Base. Security firms say the theft unfolded over roughly two hours and targeted Safes that had added the module as a trusted Safe Module.

Squid moved quickly on X to separate its protocol from the compromised contract, writing that the contract “shares our name but is not our code.” The company provided its actual router address, 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, and said that router was not involved and that its users were not affected.

According to Squid’s technical account, the exploited third-party module accepted a caller-supplied constant string as proof that a message was secure. That value appears in the module’s verified code; when provided it allowed a caller to execute an array of arbitrary calldata. Because the affected Safes had granted the module trusted-module status, the contract could move tokens from those Safes without additional signatures.

Blockchain security firm Blockaid reported that the attacker converted stolen tokens into DAI through attacker-controlled Uniswap V3 pools. PeckShield traced the exploiter’s initial funding to a 2.1 ETH transfer from Tornado Cash and identified the address 0xA447…54859 as holding the stolen funds. On-chain monitoring shows the exploiter moved funds across chains and into different token types after the breach.

Gnosis Safe modules allow external contracts to be added to a Safe to provide extra functionality. When a module is trusted by a Safe, it can initiate transactions on behalf of the Safe without additional approvals; that permission model has been the vector in previous module-related exploits.

Security teams continue to investigate the attack flow and the funds trail. Squid urged users and integrators to confirm contract addresses and inspect module code provenance before granting permissions to third-party modules.