← All Reports

Squid Router Module Investigation: Cross-Chain Bridge Vulnerability

📅 2025-05-28
bridge cross-chain squid-router vulnerability

SquidRouterModule Safe Wallet Vulnerability Investigation Report

Investigation Date: May 26, 2026

Event Nature: Safe Wallet Module Vulnerability Exploitation

Loss Amount: $3,200,000

Affected Wallets: 86 Gnosis Safes

Attack Chain: Ethereum + Base

📋 Event Overview

On May 26, 2026, blockchain security company Blockaid detected a sustained attack targeting the SquidRouterModule contract. Within approximately 2 hours, the attacker stole a total of $3.2 million in cryptocurrency assets from 86 Gnosis Safe wallets.

After converting funds through attacker-controlled Uniswap V3 pools to DAI, all assets were consolidated and transferred to a single wallet address. PeckShield confirmed that the attacker initially received 2.1 ETH from Tornado Cash as startup capital.

Attacker Wallet: 0xA447...54859

🔍 Attack Methodology Analysis

Attack Flow

  • Vulnerability Identification: The attacker discovered a design flaw in the executeSameChainActions() function of the SquidRouterModule contract
  • Authorization Acquisition: Victim Safe wallets added the malicious contract as a "Trusted Safe Module"
  • Permission Abuse: This module can control arbitrary tokens in the Safe wallet without signatures
  • Exchange Laundering: Stolen tokens were swapped via Uniswap V3 to nearly worthless malicious token "u"
  • Fund Aggregation: All valuable assets were ultimately converted to DAI and aggregated to the attacker's wallet

    • Core Vulnerability

    According to Squid's official statement:

    > "The root cause of the vulnerability was that a third-party module erroneously assumed that a publicly visible constant string was sufficient to represent 'safe'. If you pass this string (which is publicly available), you can execute arbitrary call data and steal funds arbitrarily."

    Victim Behavior

    Victim Safe wallets added SquidRouterModule as a "Trusted Safe Module". This authorization was intended to allow the contract to perform certain operations on behalf of the Safe, but the design flaw in this contract made it exploitable.

    📊 Fund Flow Analysis

    | Step | Asset | Status |

    |------|-------|--------|

    | Victim Safe | Various ERC-20 tokens | Stolen |

    | Transit | Malicious token "u" | Worthless |

    | Aggregation | ~$3.07M DAI | Attacker controlled |

    | Initial Funds | 2.1 ETH (Tornado Cash) | Attacker source |

    According to Global Ledger analysis, approximately $5.86M remains scattered across the following wallets, unused:

    • 0xc3...9100: 1,169.96 ETH (~$2.74M)
    • 0x61...2d1c: 1,222.12 ETH (~$2.86M)
    • 0x0c...7836: 0.44 ETH (~$1K)
    • bc1q...x0yt: 3.15 BTC (~$257.6K)

    ⚠️ Relationship with Squid Protocol

    Squid Official Statement

    ⚠️ This is NOT a Squid protocol security incident

    > "This is a third-party SquidRouterModule being exploited, not our protocol's Router contract."

    > "The affected contract used our name but is not our code."

    Safe Labs Confirmation

    Safe Labs CEO Rahul Rumalla stated:

    • Preliminary investigation indicates affected accounts were not operated through the official Safe Wallet product
    • This malicious module had previously been flagged by Blockaid and included in the Safe Shield risk detection framework

    🛡️ Community Protection Recommendations

    For Safe Users

  • Module Authorization Caution: Carefully review any third-party Safe modules
  • Verify Contract Source: Ensure modules come from trusted developers
  • Check Module Permissions: Understand what the module can do once authorized
  • Use Safe Shield: Enable protection services provided by security vendors like Blockaid

    • For Protocol Developers

  • Security Assumptions: Do not assume publicly visible strings or constants prove "safety"
  • Principle of Least Privilege: Grant only necessary permissions
  • Security Audits: Third-party integrations should undergo independent audits

    • 📝 Unique Analysis Perspective

    Risks of "Third-Party Modules"

    This attack reveals systemic risks of "third-party dependencies" in the DeFi ecosystem:

    • Naming Confusion: Malicious contracts use names of legitimate projects, causing users to misjudge
    • Trust Transference: Users trust Safe wallets, but modules trusted by Safe may not be trustworthy
    • Responsibility Vacuum: When third-party modules are exploited, liability attribution is unclear

    Gnosis Safe's "Trusted Module" Mechanism

    The Safe wallet's "Trusted Safe Module" mechanism has good intentions:

    • Allows authorized contracts to execute operations on behalf of the wallet
    • Supports automated strategies and cross-chain functionality
    • Improves usability

    But this also brings risks:

    • Module gains full control
    • Consequences are severe once abused
    • Users find it difficult to assess module security

    2026 DeFi Attack Patterns

    • April attack losses: $641.67 million
    • May to date: $198 million+
    • Pattern: Smart contract vulnerabilities giving way to operational key leaks and third-party dependency issues

    📚 Data Sources

    Investigator: Onchain Shadow

    OPSEC Statement: This report is based on publicly available on-chain data and media reports. All information comes from public sources.

    Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.