Crypto Heist Exposes Vulnerability in Gnosis Safe Wallets

A security breach on May 25, 2026, resulted in the theft of $3.2 million in digital assets from 86 Gnosis Safe wallets across the Base and Ethereum networks. The incident was linked to a flaw in a “SquidRouterModule” smart contract, causing significant alarm among crypto users due to its name’s resemblance to the legitimate Squid Router network.

How did the crypto exploit unfold?

Renowned blockchain security firms PeckShield and Blockaid were vigilant in identifying the breach. PeckShield’s report detailed the hacker’s method: starting with an anonymous transaction of 2.1 ETH through TornadoCash, they converted stolen funds to nearly 3 million DAI tokens via Uniswap V3 pools. The hacker’s wallet address was disclosed for public awareness.

The attacker capitalized on a vulnerability in the SquidRouterModule to move about $3 million into a wallet identified by 0xA447, PeckShield reported.

Blockaid’s findings revealed that the rapid compromise of 86 Gnosis Safe wallets stemmed from users previously granting extensive permissions to the flawed contract. This allowance negated the need for signatures, expediting the exploit’s success.

Why was SquidRouterModule susceptible?

The vulnerability originated from a Gnosis Safe module fashioned by a third-party developer. This “SquidRouterModule” accepted a string visible in the open-source code as a security measure. With access to this string, attackers bypassed security, exploiting the pre-approved “trusted Safe module” status to steal from Gnosis Safe wallets. Significantly, the legitimate Squid Router contract was distinct and unharmed by this exploit.

The genuine Squid Router team promptly clarified their non-involvement. In an official announcement, they confirmed the attacked module was created by an unrelated developer. Assurance was given that their core protocol remained unaffected and emphasized the importance of attributing vulnerabilities correctly to prevent misdirection due to name similarities.

Security Enhancements and Developer Warnings

In response to rising threats in digital asset security, Binance founder Changpeng Zhao (CZ) advised developers to heighten vigilance. Following a Github data breach, CZ urged regular review and refreshing of API keys for better security. He stressed that even API keys stored in private code for decentralized finance applications and trading bots may be susceptible if leaked.

Key takeaways from the breach include:

• The necessity of comprehensive security audits for new smart contracts.
• Ensuring clarity and disambiguation in naming conventions.
• Advocating for enhanced user awareness concerning third-party integrations and approval settings.

The heist underscores the critical importance of constant vigilance and security updates in the rapidly evolving crypto space, as bad actors continuously exploit emerging vulnerabilities. Active cooperation between security firms, developers, and users is essential to safeguard digital assets effectively.