A $3.2 million heist drained Gnosis Safe wallets over the weekend. The attackers exploited the SquidRouterModule, a component used in the platform's modular architecture. The incident adds to a growing list of DeFi breaches where complex, interconnected systems open the door for targeted theft.
The targeted module
Gnosis Safe is a popular multi-signature wallet for managing digital assets. But like many DeFi tools, it relies on external modules to extend functionality. The SquidRouterModule, which helps route transactions across different protocols, became the entry point for the exploit. Investigators have not released full technical details, but the attacker managed to bypass safeguards and pull funds directly from users' wallets.
The stolen amount—$3.2 million—was confirmed by security firms monitoring the blockchain. The funds are still being tracked, with no recovery reported as of Monday.
DeFi's modular security challenge
The exploit highlights a recurring weakness in decentralized finance: modularity. DeFi platforms often stitch together multiple smart contracts and third-party modules to offer new features. Each integration is a potential attack surface. The SquidRouterModule incident shows that even widely used wallets like Gnosis Safe are not immune.
Security audits are supposed to catch these flaws before they go live. But the pace of development in DeFi often outpaces review cycles. The result is gaps that attackers exploit. This latest theft reinforces calls for more rigorous and continuous auditing of every module in a system, not just the core contracts.
Gnosis Safe has not yet issued a public statement about the exploit. Users are advised to revoke approvals for the SquidRouterModule until further notice, though the damage is already done.
The question now is whether other modules in the Gnosis Safe ecosystem contain similar vulnerabilities—and how quickly the team can patch them.
