Base/ETH Gnosis Safe exploit drains $3.2M via SquidRouterModule
A Base/ETH exploit reportedly drained about $3.2M from 86 Gnosis Safe wallets in under two hours, using a third-party module called “SquidRouterModule.” PeckShield and Blockaid said the key factor was victim whitelisting and extended permissions, letting the contract execute transfers without additional user signatures.
According to PeckShield, the attacker funded the operation with 2.1 ETH via TornadoCash, then swapped the stolen value into roughly 3M DAI using attacker-controlled Uniswap V3 pools. Blockaid similarly noted the fast compromise across 86 Gnosis Safe wallets, attributed to overly broad approvals tied to the Safe module.
The later reporting adds specific technical context: “SquidRouterModule” allowed an immutable caller-provided string as a “security proof,” which victims accepted when adding it as a trusted Safe module. Importantly, Squid clarified that the exploited module was not developed, deployed, or maintained by Squid’s core protocol, and not all integrators/users were impacted.
For traders, this is a short-term risk-off signal for Base/ETH multisig usage. Review Gnosis Safe module approvals and whitelist settings, because similar “router/module” naming can hide real contract risk linked to SquidRouterModule.
Neutral
The incident is clearly bearish for multisig/Safe users in the short term, but it appears largely isolated to third-party module permissions (not Squid’s core protocol). If traders respond by tightening Safe module whitelists and monitoring contract approvals, the direct market impact on ETH/Base ecosystem pricing may remain limited. However, ongoing scrutiny and potential follow-on investigation can keep sentiment cautious, preventing a strong bullish/ bearish move solely from this news.