Blockaid said it detected an active exploit targeting the SquidRouterModule on Ethereum and Base, with 86 Gnosis Safes drained for about $3 million in roughly two hours.
Summary
- Blockaid said 86 Gnosis Safes were drained for about $3 million within roughly two hours.
- The attacker swapped stolen assets into DAI through attacker-controlled Uniswap V3 pools, Blockaid said.
- Related crypto.news coverage shows May has brought repeated DeFi exploits across wallets, bridges, and stablecoins.
The blockchain security firm said the stolen tokens were swapped into DAI through attacker-controlled Uniswap V3 pools. The alert listed an exploiter address, a consolidation wallet, and one example drain transaction.
According to Blockaid’s X thread, the exploit targeted Gnosis Safes linked to the SquidRouterModule. The firm said the attack moved quickly, draining dozens of Safes before the stolen assets were converted.
The alert identified the exploiter address as 0x9bdc730183821b6bb2b51be30b77c964fa645b91. Etherscan data shows that address was funded by Tornado Cash and recorded 52 transactions, with activity listed on May 25.
Blockaid also pointed to a consolidation wallet holding the proceeds. Etherscan data for that wallet showed about 3.07 million DAI, worth roughly $3.07 million, alongside a small ETH balance.
Stolen tokens move through Uniswap V3
The example transaction shared by Blockaid succeeded at 06:25:23 UTC on May 25. Etherscan shows the transaction came from the exploiter address and interacted with another address tied to the reported flow.
The same transaction page shows swaps involving USDC, ENA, and USDT through Uniswap V3 pools. These details match Blockaid’s claim that stolen assets were routed through decentralized exchange pools before being consolidated.
In response, Squid later said the incident was unrelated to its core protocol and contracts. The team said all Squid users and integrators were unaffected and no action was needed. According to Squid, the exploited contract was a third-party Gnosis Safe module verified on Basescan as “SquidRouterModule,” but it was not built, deployed, or operated by Squid.
Squid said the exploit came from a faulty third-party smart-wallet module that victims had added as a trusted Safe Module. The team added that its official router contract was architecturally different and was not touched.
May exploit wave keeps security teams active
The SquidRouterModule incident comes during an active month for onchain security teams. Crypto.news reported one day earlier that StablR’s EURR and USDR stablecoins lost their pegs after a suspected private key compromise let an attacker take control of minting permissions and extract about $2.8 million.
That report said Blockaid traced the StablR incident to a compromised multisig owner. The attacker reportedly minted 12.85 million tokens and converted thin DEX liquidity into 1,115 ETH in proceeds.
Crypto.news also reported earlier in May that Blockaid flagged an active smart contract exploit involving ShapeShift’s FOX Colony on Arbitrum. That incident drained $132,700 at first, before a related exploit pushed total losses to about $182,700.
DeFi infrastructure risks remain in focus
Recent exploit coverage shows attackers keep targeting weak points around smart contracts, proxies, bridges, wallets, and key management. Crypto.news reported in April that DefiLlama had logged 518 crypto hacks over 10 years, with total losses above $17 billion.
The same report said recent incidents show attackers increasingly target private keys, signing systems, bridges, and wallets, not only smart contract code. That pattern makes module permissions and Safe integrations an important area for teams to review.
Crypto.news also reported that TrustedVolumes lost roughly $6.7 million in an exploit tied to a custom RFQ swap proxy. Blockaid and other firms said about $5.87 million was drained from the protocol’s Ethereum resolver.
The latest SquidRouterModule alert adds another case where connected DeFi infrastructure became the attack surface.