Blockaid Flags $3M SquidRouterModule Exploit Across 86 Gnosis Safes

The Exploit and Scope

Blockaid detected a vulnerability in SquidRouterModule that affected 86 Gnosis Safe smart contract wallets, resulting in approximately $3 million in losses. The attacker exploited the module to gain unauthorized access to the affected safes and extract funds. No timeline for the exploit or details on how the initial vulnerability was discovered have been disclosed.

Asset Recovery and Token Swaps

Following the theft, the stolen tokens were converted to DAI stablecoin on both Ethereum and Base networks. The use of stablecoins across multiple chains suggests an attempt to fragment the funds and complicate recovery or tracking efforts. Blockaid's disclosure did not specify whether the funds remained on-chain or if further movement occurred after the initial conversions.

Gnosis Safe and Module Risk

Gnosis Safe allows users to extend wallet functionality through optional modules, which add features but also introduce additional attack surface. SquidRouterModule was designed to facilitate token routing but appears to have contained a critical flaw in its access controls or validation logic. The incident underscores ongoing risks associated with third-party extensions to widely-used smart contract wallets.

Why It Matters

For Traders

Users holding assets in Gnosis Safes using SquidRouterModule should immediately audit wallet permissions and consider migrating funds if the module remains active.

For Investors

The incident highlights module-based vulnerabilities in modular wallet architecture; Safe ecosystem participants may face pressure to implement stricter module vetting or deprecation processes.

For Builders

Module developers should review access control patterns and consider how permissioned extensions can be audited; wallet platforms may need more robust module sandboxing or whitelisting mechanisms.