A critical vulnerability in a third-party Gnosis Safe module named “SquidRouterModule” was exploited on May 25, allowing an attacker to drain approximately $3.2 million in assets from 86 wallets across the Ethereum and Base networks.
The incident was first reported by blockchain security firm Blockaid, which detected the ongoing exploit over a two-hour period. According to Blockaid, the attacker leveraged a flaw in the executeSameChainActions() function within the module. This vulnerability allowed the attacker to impersonate authorized delegates and execute arbitrary token swaps from the victim's wallets without requiring additional signatures.
The stolen assets, a mix of various tokens, were swapped through attacker-controlled Uniswap V3 pools and consolidated into roughly $3.07 million worth of the DAI stablecoin. The attack highlights the growing security risks associated with third-party modules and delegated permissions within the decentralized finance (DeFi) ecosystem.
Cross-chain protocol Squid, whose name was associated with the vulnerable module, moved quickly to distance its core protocol from the exploit. In a public statement, Squid clarified that the “SquidRouterModule” was a third-party smart-wallet product that integrated with Squid but was not built, deployed, or operated by the company. "The accurate framing is: a third-party SquidRouterModule was exploited, not Squid’s Router contract," the company stated. This incident underscores the potential for reputational damage through association, even when a protocol's core contracts remain secure.
The exploit serves as a stark reminder of the security complexities in DeFi, where composability and third-party integrations can introduce unforeseen vulnerabilities. For users of multi-signature wallets like Gnosis Safe, it emphasizes the critical need to vet and understand the permissions granted to any third-party modules. As of 14:30 UTC on May 25, the stolen funds remained in the attacker's wallet, with no indication of their next move.
This article is for informational purposes only and does not constitute investment advice.
