Eighty-six Gnosis Safe wallets were drained of roughly $3.2 million on May 25. The entire operation took under two hours.
Blockchain security firm Blockaid flagged the exploit in real time, posting on X that the SquidRouterModule on Ethereum and Base was being actively targeted. All stolen tokens were converted to DAI through Uniswap V3 pools the attacker controlled directly.
The Only Exit the Permissions Would Honor
Here is what most coverage passed over. The attacker did not just transfer the stolen funds out. They could not.
On-chain researcher 0x_Abdul broke down the full mechanics on X after the attack. As 0x_Abdul posted on X, the SquidRouterModule’s permissions framework only authorized one action type: Uniswap V3 swaps. Direct ERC-20 transfers were blocked by design. The module existed specifically to let approved delegates rebalance Safe holdings through swaps, not move funds freely.
The attacker held real delegate rights. But the Safe’s permissions manager would only honor swap actions. A straightforward withdrawal was architecturally off the table.
So the attacker built the only exit route the system would accept. As 0x_Abdul posted on X, they deployed a worthless ERC-20 token called “u,” seeded a one-sided Uniswap V3 pool with it, then used real USDC, USDT, and a 12.7M ENA position to swap into that token. The pool absorbed the real assets. The attacker, who owned the LP position, pulled everything back out.
The fake pool was not a laundering layer. It was the only door the permissions left open.
As 0x_Abdul posted on X:
“The rigged pool was the only exit route the permissions would honor. The manager only authorized swap actions, so the attacker had to engineer a swap that drained instead of a transfer that drained.”
Not Squid’s Code, Just Squid’s Name
Squid moved fast to distance itself from the framing spreading in early reports. As @squidrouter posted on X, the SquidRouterModule was not built, deployed, or operated by Squid. A third party had named the contract after Squid when integrating it independently, with zero contact with the Squid team.
Squid’s own router contract, 0xce16F69375520ab01377ce7B88f5BA8C48F8D666, was not touched. As @squidrouter posted on X, all Squid users and integrators were unaffected and no action was needed.
The name on Basescan created enough confusion to send early reports in the wrong direction. Block explorer verification only confirms source code is readable. It says nothing about whether the code was audited or safe to use.
Inside the Technical Execution
Blockaid traced the root cause to the executeSameChainActions() function inside the vulnerable module. As Blockaid posted on X, the attacker deployed Foundry-based exploit contracts that called the module’s DelegateBundler path to impersonate authorized delegates on victim Safes. This let them execute arbitrary Uniswap V3 swaps directly from each Safe, swapping real assets into the worthless “u” token.
The token called “u” had a max supply, 42 holders, and zero real value. It existed entirely to receive real funds inside the rigged pool.
As Blockaid posted on X, the exploiter address is 0x9bdc730183821b6bb2b51be30b77c964fa645b91, pre-funded through Tornado Cash before the attack. The consolidation wallet at 0xa447f71782135ab96a71374271a749ff7aa54859 held approximately 3.07M DAI at time of publication. An example drain transaction is on-chain at Etherscan.
After each drain, the attacker removed liquidity from the pools and consolidated all proceeds into DAI. The 3.07M DAI had not moved at time of publication.
What This Means for Safe Wallet Users
A DeFi multisig holder using third-party modules is the person this incident speaks to most directly.
Scoping a delegate to “only do X” only holds if X itself cannot be turned against you. Uniswap V3 was a trusted protocol. The pool sitting on the other side of the swap was not. The permission boundary looked tight. The attack proved it was not.
As 0x_Abdul posted on X, the lesson is blunt: restricting a delegate to a specific action type only buys safety if that action type cannot itself be gamed. In this case, it could.
Squid confirmed it is monitoring the situation and will share updates if anything changes materially.
