While a streak of cyber attacks on the DeFi sector continues this week, Squid, a cross-chain routing and liquidity protocol, distanced itself from the claim of recent cyber attacks on its platform, saying that the cyber attack is unrelated to Squid’s core protocol and contracts.
This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.
A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… https://t.co/I3gGmdBvE9
— squid (@squidrouter) May 25, 2026
Squid Says, Gnosis Safe Exploit Involves Third-Party Module
On May 25, Blockaid, a blockchain security firm, raised an alert about a recent attack on a contract named SquidRouterModule on the Ethereum and Base networks. In just two hours, the attackers have managed to steal approximately $3.2 million from around 86 multisig wallets that were linked to Gnosis Safe. It is also known as Safe.
🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.
86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵— Blockaid (@blockaid_) May 25, 2026
According to the security firm, the list of stolen assets mostly includes stablecoins such as USDC and USDT, along with some other tokens. After stealing these attacks, hackers have rushed to swap these funds into DAI using Uniswap V3 pools that they controlled. In the end, they transferred all stolen funds into one main wallet that currently holds about 3.07 million DAI tokens.
However, within an hour after the warning from the security firm, the protocol came forward to clarify the situation through its official statement on X. The protocol mentioned that the incident has no connection to its main protocol or its contracts. “All Squid users and integrators are unaffected, and no action is needed,” stated in the official post on X.
According to the official post, the contract that was compromised was not developed or deployed by Squid. Instead, it was a third-party smart wallet module that had decided to connect with Squid and other protocols. During this attack, hackers have manually added this module to their Gnosis Safe wallets as a trusted Safe Module.
Safe Modules are important extensions that can execute transactions on behalf of the wallet without any kind of approval from the wallet owners every time.
In this cyber attack, the hacker has used a very simple method, which turned out to be more damaging for the DeFi users. The module has accepted a fixed string of text as proof that a message was safe, which was provided by the caller. It was visible on a public record in the contract code that had been verified. By using the same string, attackers could send in any set of instructions they wanted and make the module execute those actions.
This simple method allowed the attacker to drain tokens whenever they wanted.
“The victims’ Safes had added this faulty contract as a trusted Safe Module, which gives the contract the ability to spend any tokens in the Safe without signatures. Squid’s own router (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) is architecturally different and was not touched. Squid user funds, approvals, and integrations are fully secure,” stated in the official announcement.
“Early public reporting may reference “SquidRouter” due to the contract’s verified name on Basescan. The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract. The contract shares our name but is not our code. We are monitoring the situation and will share updates if anything changes materially,” stated in the post.
In the last few months, the DeFi sector has suffered massive security incidents, including the Kelp DAO hack, Drift, THORChain, and others. These cyber attacks have sparked fear in the entire DeFi community.
On-chain security firms like Blockaid and individuals like ZachXBT have played an important role in detecting attacks in order to avoid future exploitations. Despite this, attackers are finding new loopholes present in the already existing system. These constant cyber attacks have raised questions about smart contract security, wallet connections, cross-chain bridges, and third-party tools.
