An attacker siphoned roughly $3.2 million from a third-party Gnosis Safe module called SquidRouterModule over about two hours on Tuesday. The exploit hit 86 Gnosis Safe accounts spanning Ethereum and Base before the attacker swapped the stolen assets into roughly 3 million DAI via Uniswap V3 pools. The incident is the latest in a string of DeFi attacks this month — DefiLlama has tracked more than 20 exploits in May 2026 alone.
A public string in contract code opened the door
The vulnerability lay in a third-party smart-wallet module that integrated with several protocols, including Squid. The module accepted a caller-supplied constant string as proof of message security — and that string was publicly visible in the verified contract code. That allowed the attacker to craft arbitrary calldata and execute it against the affected Gnosis Safe accounts. The compromised contract was labeled 'SquidRouterModule' on Basescan, which caused early confusion about who was at fault.
Squid: "None of our users were affected"
The cross-chain router Squid quickly distanced itself from the exploited contract. It said the contract shares its name but is not its code, and that none of Squid's own users were affected. Squid's actual router contract, at 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, remained untouched. User balances, approvals, and platform integrations on Squid stayed safe throughout the incident.
Funds routed through Tornado Cash, then Uniswap
The attacker originally funded the exploit with 2.1 ETH withdrawn from Tornado Cash. After draining the 86 safes, the stolen assets were swapped into approximately 3 million DAI via attacker-controlled Uniswap V3 pools. The exploiter's wallet — 0xA447...54859 — still held the DAI as of this reporting. No further movement has been observed yet.
May's exploit tally passes 20
This attack adds to a busy month for DeFi security incidents. DefiLlama's tracker shows more than 20 exploits in May 2026, covering a range of protocols and attack vectors. The third-party module that was exploited was not a core Squid product but a smart-wallet tool that interacted with multiple platforms. Whether the module's developer will patch the vulnerability or compensate affected users remains an open question.
