According to security alerts published on May 25, 2026, a total of $ 3.2 million worth of crypto money was withdrawn from 86 different Gnosis Safe wallets in just two hours as a result of a critical vulnerability targeting the Base and Ethereum networks. The source of the vulnerability was determined to be a security vulnerability in a smart contract called “SquidRouterModule”. The incident caused great confusion in the community due to this module whose name is similar to the official Squid Router network.
Details of the Attack and the Method Followed
Leading security companies PeckShield and Blockaid ensured that the breach was noticed in a short time. In the report published by PeckShield, the entire flow of the attack was detailed. It was reported that the hacker had previously received 2.1 ETH via TornadoCash and quickly converted all of the stolen assets into approximately 3 million DAI tokens in Uniswap V3 pools. The wallet address used by the attacker was also shared with the public.
In the PeckShield report, it was stated that the attacker first converted approximately 3 million dollars of assets into DAI by using the SquidRouterModule vulnerability, and the stolen funds were kept in the wallet starting with 0xA447.
According to Blockaid’s findings, 86 different Gnosis Safe wallets were compromised in an extremely short period of time. The fact that users had previously given extra authorization to these contracts and that no signature was required for the transaction made the attack successful.
SquidRouterModule Vulnerability and Technical Background
At the root of the incident is the design of the Gnosis Safe module created by a third-party developer. Controlled by Basescan, the smart contract called “SquidRouterModule” accepted a literal string sent by the caller as proof of security.
Mini dictionary: Gnosis Safe – Known for its multi-signature (multisig) feature, it is a popular crypto wallet solution that protects users’ assets with multiple signatures. Delegated modules are plugins that can bypass signature requirements.
Since this string was directly visible in publicly available source code, attackers easily bypassed security barriers. Since the module was whitelisted by the victims as a “trusted Safe Module”, the hackers were able to withdraw the desired amount of assets from Gnosis Safe wallets. The architecture of the official Squid Router contract mentioned in the incident was not affected by the attack because it was completely different.
Squid Router: We had nothing to do with the attack
Following the confusion, Squid Router’s official social media account quickly made a statement. In the shared statement, it was emphasized that the module in question was not developed, distributed or managed by the Squid team. It was stated that the module mentioned in the incident belonged to a third-party smart wallet provider that wanted to integrate with Squid and other projects.
In the statement, it was underlined that the Squid core protocol or its contracts have nothing to do with the security vulnerability. It was also stated that not all Squid users or integrated services are at risk. The company noted that such vulnerabilities should be based on accurate sources to prevent misunderstandings arising from name similarity.
Security Warning to Developers from Binance Founder
Pointing out that supply chain vulnerabilities have increased in the crypto industry recently, Binance founder Changpeng Zhao (CZ) made a critical call to developers after a new security breach. Following the data leak via Github, CZ stated that it is important for users and developers to check and change API keys.
CZ; He reminded that in areas such as trading bots, decentralized finance applications and analysis platforms, API keys stored in codes pose a risk if leaked, even if they are secret. It was emphasized that developers should review and renew such keys, even if they are in private repositories.
