$3.2 Million Stolen in Gnosis Safe Wallet Exploit

How a Single Module Compromised Dozens of Wallets

Hackers stole $3.2 million from 86 Gnosis Safe wallets on Ethereum and Base. The breach occurred within two hours due to a flaw in the third-party SquidRouterModule. No user passwords were needed—just a vulnerability in identity validation.

The attack exploited a critical flaw in the SquidRouterModule, a smart contract module used to manage wallet permissions. Because the module failed to properly verify ownership, attackers could impersonate legitimate users. This let them transfer funds from Gnosis Safe wallets without authorization. Most affected wallets had interacted with the SquidRoute dApp, which integrates the flawed module.

Security researchers confirmed the exploit relied on improper identity checks. Normally, modules like SquidRouterModule must validate that a transaction request comes from a wallet’s actual owner. In this case, the validation was either missing or bypassed. Attackers sent maliciously crafted transactions that tricked the system into treating them as legitimate.

On-chain data shows the first theft occurred at approximately 14:22 UTC. Over the next 120 minutes, funds were drained in rapid succession. The attacker moved assets to a central address before converting some into stablecoins. Final tally: 86 wallets hit, total loss around $3.2 million. Most victims were on Ethereum, though several were on Base, Coinbase’s Layer 2 network.

Could More Wallets Be at Risk?

Gnosis team members acknowledged the issue publicly, clarifying that the core Safe contract was not compromised. „The vulnerability lies in a third-party module, not in Safe’s main protocol,” one developer stated. They urged users to review permissions granted to external modules.

Yes—any wallet that has authorized the SquidRouterModule remains potentially vulnerable until permissions are revoked. While the active exploit appears to have stopped, the malicious contract is still on the blockchain. Security firms warn that similar flaws may exist in other modular DeFi tools.

Revoke.so, a contract permission tracker, reported a surge in users revoking access to unknown modules after the incident. Experts stress that modular design, while flexible, increases risk when third-party code isn’t audited thoroughly.

Frequently Asked Questions

The incident highlights growing risks in decentralized finance, where trust in one small component can jeopardize entire accounts. Unlike centralized platforms, stolen crypto is nearly impossible to recover. Users bear full responsibility for managing permissions.

What is the SquidRouterModule? It’s a third-party smart contract module that helps route transactions in Gnosis Safe wallets. It’s not part of the official Gnosis Safe system but can be added by users. The flaw allowed attackers to mimic wallet owners.

How can I protect my Gnosis Safe wallet? Revoke access to any unknown or unused modules, especially SquidRouterModule. Use tools like Revoke.so to check active permissions. Only enable modules from trusted, audited sources.

Is the Gnosis Safe platform still safe to use? Yes, the core Safe protocol was not breached. The exploit targeted a user-added module. As long as third-party code is carefully vetted, Gnosis Safe remains secure.