SquidRouterModule Exploit Drains $3M in Crypto from 86 Wallets

Squid moved immediately to distance its core routing protocol from the exploited module, stating that SquidRouterModule was a third-party Gnosis Safe module that it did not develop, deploy, or operate . The attacker funded the exploit address through Tornado Cash, and the stolen DAI remains in the attacker's wallet as of the latest reports with no freeze or recovery .

How the Exploit Bypassed Gnosis Safe Protections

The attack centered on a vulnerability in the SquidRouterModule's executeSameChainActions() function, which accepted arbitrary calldata and used a fixed-string verification that attackers could easily reuse . The technical sequence unfolded in four rapid steps:

1. Fake swap contracts: The attacker deployed Uniswap V3 liquidity pools that appeared legitimate but were fully controlled by the attacker .
2. Approval bypass: The vulnerable module let the attacker impersonate authorized delegates, bypassing Gnosis Safe's native multi-signature approval checks .
3. Rapid draining: Over roughly two hours, 86 Safes were drained across Ethereum and Base in quick succession .
4. Consolidation: All stolen tokens were swapped into DAI and sent to a single attacker-controlled wallet holding approximately 3.07 million DAI .

This specific attack vector—abusing a third-party module's weak verification to override wallet security—differs from other major 2026 exploits that primarily relied on forged cross-chain messages .

The Awkward Three-Day Gap: Funding and Fallout

The SquidRouterModule exploit arrived at a particularly sensitive moment for the Squid brand:

• May 22, 2026: Squid announced a $6 million strategic round, bringing its total funding to $13.5 million, with plans to expand consumer-facing cross-chain products .
• May 25, 2026: Blockaid flagged the SquidRouterModule exploit, causing immediate brand confusion in the crypto community .

Squid responded within hours, clarifying through multiple channels that the compromised module was "unrelated to Squid" and structurally different from its core cross-chain routing contracts . The company emphasized that no Squid user funds or core protocol contracts were affected . This rapid brand defense was necessary because the module's name created a direct association with Squid in public reporting .

2026: A Record Year for Cross-Chain Bridge Exploits

The SquidRouterModule incident is the latest in a devastating series of cross-chain attacks that have made 2026 the worst year on record for bridge security:

According to blockchain security firm PeckShield, eight major bridge-related hacks had stolen a combined $328.6 million from cross-chain protocols by mid-May 2026 . The total crypto hack figure across all categories exceeded $750 million by late May, with bridges representing the single largest attack vector .

The attack patterns vary but reveal recurring weaknesses. Forged cross-chain messages enabled the largest exploits, including the KelpDAO attack that minted 116,500 fake rsETH tokens and the Verus bridge hack that tricked the protocol into sending funds from its reserves . Private key compromises, as seen in the IoTeX ioTube bridge attack , and smart contract logic flaws, as in the CrossCurve hack , remain persistent threats. The SquidRouterModule exploit adds a newer pattern: abusing third-party wallet module permissions to bypass established security frameworks .

Current Status of the Stolen Funds

As of the latest available reports from May 25-26, 2026, the approximately 3.07 million DAI remains in the attacker's wallet with no reported freeze, recovery, or return . The attacker's address was funded through Tornado Cash, a privacy mixer commonly used in DeFi exploits to obscure the origin of transaction funds . No arrests or fund movements have been publicly reported.

The incident underscores a persistent challenge in DeFi security: even well-audited wallet infrastructure can be compromised through third-party modules that users integrate without fully vetting their security properties. For Gnosis Safe users, the lesson is clear—every module added to a Safe expands the attack surface, and module vulnerabilities can override the multi-signature protections that make Safes otherwise secure.