Blockaid flags $3M SquidRouterModule exploit across 86 Safes

Blockaid has detected an active SquidRouterModule exploit on Ethereum and Base. In just over two hours, 86 Gnosis Safes have been drained.

Blockchain security company said that the tokens stolen were exchanged into DAI via pools controlled by attackers. It listed an address of the exploiter, a wallet for consolidation, and a sample drain transaction.

Blockaid’s X thread indicates the exploit targeted Gnosis Safes that were linked to SquidRouterModule. According to the firm, the attacker moved fast and emptied dozens of Safes quickly before converting the assets.

Alert identified the exploiter address as 0x9bdc730183821b6bb2b51be30b77c964fa645b91. Etherscan shows 52 transactions were recorded at that address, funded by Tornado Cash. The activity was listed for May 25, according to the data.

Blockaid indicated that the proceeds were also held in a consolidating wallet. Etherscan Data for the wallet showed A small amount of ETH is also included.

The Uniswap is a great way to track stolen tokens.

Example of transaction shared Blockaid has been successful since 06:25:23 on 25 May. Etherscan indicates that the transaction originated from the exploiter’s address, and was interacted with by another address linked to the flow.

This same page displays swaps involving USDC through Uniswap pool V3 and USDT. The details are consistent with Blockaid’s claims that the stolen assets were sent through exchange pools decentralized before they were consolidated.

Squid responded by saying that the incident had nothing to do with its contracts and core protocol. Squid’s team stated that all users and integrations of Squid were not affected and there was no need for action. Squid stated that the exploited module was from a Gnosis Safe, a third party verified through Basescan. “SquidRouterModule,” But it wasn’t built, deployed or operated by Squid.

Squid claimed that the exploit was caused by a third-party smart wallet module which victims added to their Safe Modules as trusted modules. The team also said its official router contracts were architecturally distinct and had not been touched.

Security teams keep alert to May’s exploit wave

Onchain teams have been busy this month. Crypto.news reported One day before, StablR’s EURR stablecoins and USDR unstablecoins had lost their pegs. A suspected compromise of private keys allowed an attacker to take over minting rights and withdraw about $2.8 Million.

This report stated that Blockaid had traced StablR’s incident back to a multisig owner who was compromised. According to reports, the attacker generated 12.85 million tokens. He then converted DEX liquidity in thin ETH into proceeds of 1,115.

Also, Crypto.news reported Blockaid had flagged earlier in May an active smart contract vulnerability involving ShapeShift’s FOX colony on Arbitrum. The initial loss was $132.700. A related exploit then increased that to around $182.700.

DeFi infrastructure risks remain in focus

Recent coverage of exploits shows that attackers continue to target weak points in smart contracts, proxies and bridges. They also focus on key management, wallets and key management. Crypto.news revealed in April 2017 that DefiLlama was a hacker. logged In the last 10 years alone, there were 518 cyber-hacks with losses of more than 17 billion dollars.

According to the report, recent incidents have shown that attackers target not just smart contract codes, but also private keys and signing systems. This pattern is why teams should review module permissions, and the Safe Integrations.

TrustedVolumes has also been reported by Crypto.news lost roughly $6.7 million An exploit linked to a custom RFQ proxy was used. Blockaid and others said approximately $5.87 million had been drained out of the Ethereum resolver.

This latest SquidRouterModule Alert adds yet another example where DeFi-connected infrastructure has become an attack surface.