A fresh DeFi exploit has drained nearly $3 million from users linked to the SquidRouterModule on Ethereum and Base, according to blockchain security firm Blockaid.
The attack reportedly affected 86 Gnosis Safes within about two hours, with stolen funds quickly swapped into DAI through attacker-controlled Uniswap V3 pools. The incident adds to a growing list of crypto exploits recorded throughout May as attackers continue targeting wallets, bridges, and protocol integrations.
🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.
86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵— Blockaid (@blockaid_) May 25, 2026
SquidRouterModule exploit drains 86 Safes
Blockaid said the exploit targeted Gnosis Safes connected to the SquidRouterModule, allowing the attacker to rapidly move funds across multiple wallets before converting the assets.
The security firm identified the exploiter address as 0x9bdc730183821b6bb2b51be30b77c964fa645b91. Blockchain data from Etherscan showed the address had been funded through Tornado Cash and recorded dozens of transactions on May 25.
Blockaid also flagged a consolidation wallet that appeared to hold most of the stolen funds. Onchain data showed the wallet contained around 3.07 million DAI alongside a small ETH balance at the time of reporting.
Stolen assets routed through Uniswap V3 pools
One transaction highlighted by Blockaid was executed at 06:25 UTC on May 25 and showed the attacker interacting with multiple tokens and liquidity pools.
Etherscan records linked the transaction to swaps involving USDC, ENA, and USDT through Uniswap V3 pools before the assets were consolidated into DAI. The movement matched Blockaid’s claim that the exploiter used decentralized exchange liquidity to process and hide the stolen funds.
The speed of the exploit raised fresh concerns around wallet modules and connected DeFi infrastructure, especially integrations tied to multisig systems and router permissions.
DeFi exploits continue to rise in May
The SquidRouterModule exploit is the latest in a series of attacks tracked by security firms this month.
Earlier in May, stablecoin issuer StablR suffered a private key compromise that led to the loss of about $2.8 million after attackers gained control of minting permissions. Blockaid also recently detected exploits involving ShapeShift’s FOX Colony and TrustedVolumes, with combined losses reaching millions of dollars.
Recent reports from DeFiLlama showed crypto hacks have exceeded $17 billion over the past decade, with attackers increasingly targeting wallets, bridges, signing systems, and private key management instead of only exploiting smart contract code
Meanwhile, the team behind the Verus blockchain recovered most of the funds stolen in its recent bridge exploit after the attacker returned 4,052 Ether, worth about $8.5 million, in exchange for a bounty payout.
Enjoyed this? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads and CoinMarketCap Community for seamless access to high-quality industry insights.
Take control of your crypto portfolio with DEFI PLANET PRO, DeFi Planet’s suite of analytics tools
