25 May 2026, 14:43
$3 Million Drained In Two Hours: SquidRouterModule Exploit Exposes Hidden Risks In Third-Party Wallet Integrations
Within a span of two hours, attackers had siphoned almost $3 million from several wallets during a fast and coordinated DeFi exploit that has disrupted parts of the ecosystem. The firm Blockaid says the attack targeted a vulnerable wallet module for smart wallets called SquidRouterModule, used by users on Ethereum and Base networks. Overall, the attack hit 86 Gnosis Safe wallets. Within seconds after the attack, the attacker transferred funds from various checks to pools that the attacker controls on Uniswap V3 in exchange for DAI. The speed and reach of this exploit show how quickly attackers can go from discovery to exploitation once vulnerabilities are found in wallet infrastructure. In less than a blink, assets were drained, exchanged and routed through liquidity pools, scuttling countless users without offering them much time to react. Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base. 86 Gnosis Safes drained for ~$3M in ~2 hours. All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools. More details in — Blockaid (@blockaid_) May 25, 2026 Exposure Found In Third-Party Module, Not Core Protocol During the course of investigation, it was realised that the exploit did not originate from the core infrastructure of Squid Router. Rather, the flaw was in a module developed outside of Squid but linked with it. This contract was initially reported as the main contract being attacked, in which case it can be confusing when hearing about a report on Basescan with the name SquidRouterModule. Squid quickly explained that, despite the similar names, this module was a separate piece of functionality and not integrated. The team reiterated the importance of clarifying that even a minor change turning out to be unauthorized did not impact its official router contract, which remains secure: in a later statement shared via Squid’s Twitter Space However, user funds or approvals or integrations that directly tied with Squid’s core infrastructure remained secure. This distinction is crucial. However, despite the exploit involving substantial losses, it did not arise from issues in Squid’s protocol itself. Instead, it illustrated an inherent risk with third-party integrations, a growing aspect of modular DeFi architecture. This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed. A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… https://t.co/I3gGmdBvE9 — squid (@squidrouter) May 25, 2026 Vulnerable Validation Logic Allowed Attack At the heart of the exploit, however, was an egregious design issue in the validation logic of a third-party module. The contract used a constant string provided by the caller as proof to construct message authenticity. But this string was available publicly in the verified source code of the contract. Thus an attacker could provide anything that matched the expected string as a way to circumvent all security layers built into the software. After recovery, the contract allowed all calls without selective calldata to go through, and this gave the attacker total control to interact with any transaction from within the wallet. The affected users added this module to their Gnosis Safe as a trusted component, so the contract was allowed to perform fund transfers without additional signatures. The attack unfolded as follows: The attacker provided the string known to pass validation The contract accepted the request as a valid Arbitrary transactions were executed Moved funds out from their wallets This vulnerability shows how simple oversights in auth logic can lead to multi-million dollar losses. Trusted Module Permissions Made The Damage Bigger One of the most important elements that amplified the damage caused by this exploit was the extent of access assigned to the compromised module. Within the Gnosis Safe, trusted modules can make transactions without requiring user signatures. This architecture allows for flexibility and automation of complex workflows. But it comes with some substantial risks too, if a badly designed or malicious module. Here, it turns out users who had enabled the vulnerable SquidRouterModule were inadvertently sending the total control of their wallet assets to the contract. The attacker completely bypassed additional security layers, since the permissions were already in place at that point. What followed was a swift, massive outflow of funds with virtually no opposition. Market Impact and Fund Movement After the exploitation, the attacker had finally drowned all of their stolen assets in a false manner through DEX. By routing funds into DAI via Uniswap V3 pools, they were able to stabilize the value of the stolen assets and reduce exposure to volatility. The total losses are estimated to be between $3 million and $3.2 million, with about $3 million being drawn within less than 120 minutes. The operation’s efficiency demonstrates a very high level of preparedness and knowledge both of the targeted system, as well as DeFi liquidity mechanics. Despite the scale of the attack, its overall impact on the market was limited. The containment is primarily the result of the exploit being confined to certain wallets, rather in broad-based protocol or asset action. Clearing Up Misunderstandings About Squid’s Function Some news reports were linking the exploit to Squid’s core router due to its name as a vulnerable contract. But it is important to separate the third-party module from the official protocol in order for an accurate reading of the incident. It also did not refer instead to Squid’s own official router contract, which is architecturally different and has a separate identifier. Funds that could be traced back to its operations were not impacted and there was nothing wrong found in its code. This case highlights a long-standing issue in DeFi: the challenge of distinguishing between official infrastructure and third-party integrations. With increased connection between ecosystems, having overlapping names and branding can cause confusion around security incidents. Security and DeFi Integration Lessons For Wallets The SquidRouterModule exploit is a reminder that DeFi security goes beyond core protocols. In fact, ever-brightening primary systems can still be at risk if terminated screens or other connected components have foreseeable vulnerabilities. Several lessons emerge: First, users need to be careful when they enable third-party modules or integrations. Wallet level permissions have a broad impact. Secondly, there are many ways developers can put in place strong validation. The presence of publicly accessible constants or weak authentication can be utilized as a vulnerability. Thirdly, it is important to be transparent about ownership and responsibility. Having a clear distinction between official and unofficial components can eliminate confusion in case of incidents and help with panic control. This event also reinforces the most universal truth, security is only as strong as the weakest link in a composable ecosystem like DeFi. With the increasing interconnection between protocols, quality of every element, and not just the core, will become important. The exploit is quantifiable in millions in terms of immediate loss, but the longer-term implications may be less tangible; a shift in how users and developers formulate trust, permissioning and integration abstractions shapes their relationship with decentralized finance. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
Invest ideas
