Gnosis Safe users lose $3.2M in Base and Ethereum exploit

Security warnings issued on May 25, 2026, indicate that about $3.2 million has been siphoned from 86 Gnosis Safes in just two hours. This is via the Base and Ethereum blockchain networks. The vulnerability exploited a smart contract called “SquidRouterModule.” It caused instant confusion in the crypto community due to its similar name to the official Squid Router network.

According to reports, the stolen funds were instantly converted into approximately $3 million in DAI tokens via the attacker-controlled Uniswap V3 pools. The hacker used the wallet address 0xA447…54859, which was previously sent 2.1 ETH via TornadoCash.

86 Gnosis safes targeted in a new hack

Security firms such as PeckShield and Blockaid were the first to detect this exploit. In the report by PeckShield, the details of the SquidRouterModule exploit were provided, along with the actual flow of funds. This included not only the use of TornadoCash but also exchanging all tokens for DAI.

#PeckShieldAlert The SquidRouterModule has been exploited for ~$3M in assets.
The exploiter, who was originally funded with 2.1 $ETH from #TornadoCash, has swapped the stolen funds for ~3M $DAI. The stolen assets are currently sitting in the exploiter's wallet 0xA447…54859 pic.twitter.com/RAmpIZQhQh

— PeckShieldAlert (@PeckShieldAlert) May 25, 2026

In its report, Blockaid mentioned that 86 Gnosis Safes had been exploited in less than two hours, and all tokens exchanged using liquidity pools controlled by the attacker. Previously, users had authorized these contracts within their Gnosis Safes with elevated privileges, without requiring user signatures.

The root cause lies in the design of the third-party Gnosis Safe module itself. The contract, audited by Basescan and named SquidRouterModule, would accept an immutable string provided by the caller as proof of the message’s security.

As this string was clearly visible in the publicly available source code, it became possible to bypass all security measures. Following the provision of the string, the module allowed the execution of calldata provided within an array.

The fact that the module had already been whitelisted as a legitimate Safe Module by the victims enabled the attacker to withdraw funds from the Gnosis Safes regardless of the token type. The legitimate Squid Router contract (0xce16F69375520ab01377ce7B88f5BA8C48F8D666) uses a completely different architecture and has not been affected by this attack.

Squid Router distances itself from the hack incident

Squid Router’s official X account did not take long before setting the record straight. In its statement, the company made clear that the exploited contract was not built, deployed, or managed by Squid. It was identified as a smart wallet by another third party that decided to integrate with Squid and other projects, but never contacted the Squid team.

The team explained that there was nothing related to the core Squid protocol or its contracts regarding this incident. In addition, not all Squid users and integrators are affected. Moreover, Squid highlighted that initial public information could erroneously refer to SquidRouter based solely on the name of the exploited contract available on Basescan.

Binance’s CZ calls on devs to fix hack problems

As a clear indication of how increasingly vulnerable the crypto space has become in its supply chain, the founder of Binance, Changpeng Zhao (also known as CZ), has called for developers to swap their API keys after a GitHub data breach.

As reported by Cryptopolitan, CZ urged that if users have API keys in their code, even private repos, now is the time to double-check and change them. This is due to the risk of exposed API keys in the event of a breach, as they could be used by trading bots, DeFi protocols, analytics platforms, and other related services.

The smartest crypto minds already read our newsletter. Want in? Join them.