ChainSentinel Forensic Report: SquidRouterModule $3.2M Exploit
Report ID: CS-2026-0621-001
Date: June 21, 2026
Analyst: onchain-shadow
What Happened
On May 25, 2026, an attacker drained $3.2 million from 86 Gnosis Safe wallets in just 2 hours by exploiting a third-party module deceptively named "SquidRouterModule." The module was NOT built by Squid Protocol — it was a third-party Safe module that chose to share Squid's brand name.
Key Findings
Attacker Addresses (Verified)
| Role | Address |
|---|---|
| Attacker EOA | 0x9bdc730183821b6bb2b51be30b77c964fa645b91 |
| Consolidation Wallet |
0xA447...54859 (holds ~3.07M DAI) |
| Vulnerable Contract | SquidRouterModule (verified on Basescan) |
| Fake Token |
0xe6Ff...3512 (symbol: "u") |
Funding Source
- 2.1 ETH from Tornado Cash — deliberate identity obfuscation
- 52 transactions executed during the 2-hour attack window
How The Attack Worked
The vulnerability was embarrassingly simple: the module checked if a caller-supplied string matched a publicly-readable constant. No gateway validation. No cryptographic proof. Just a string comparison anyone could bypass.
Attack Flow
1. Deploy fake token "u" on Ethereum
2. Create Uniswap V3 pools: fake_token/USDC, fake_token/USDT, fake_token/ENA
3. Call expressExecuteWithToken() with forged calldata
4. Module bypasses validation (string == squidRouter constant)
5. Victim Safe tokens approved & swapped for worthless "u" tokens
6. Remove liquidity → extract real assets
7. Consolidate into DAI wallet
Result: 86 Safe wallets drained. ~$3.2M converted to DAI. All in 2 hours.
The Root Cause
The _executeWithToken function only checked:
require(srcAddress == squidRouter); // squidRouter is a public constant string
This is NOT validation. The attacker can pass any string they want. The legitimate Squid Router calls gateway.validateContractCallAndMint() — actual cryptographic verification through Axelar's validator network.
This is the same vulnerability pattern as CrossCurveFi. Cross-chain integrations that skip gateway validation are open attack surfaces.
Fund Laundering Pattern
Tornado Cash (2.1 ETH)
→ Attacker EOA (0x9bdc...5b91)
→ Exploit Execution (52 txs)
→ Fake Token Swaps (Uniswap V3)
→ Remove Liquidity
→ DAI Consolidation (0xA447...54859, ~3.07M DAI)
The attacker followed the standard playbook: mixer → exploit → DEX → consolidation. Predictable, but effective at the individual level.
Attribution Leads
- Tornado Cash withdrawal — permanent on-chain marker, correlatable with exchange KYC
- Consolidation wallet — any outbound movement is trackable
- Basescan deployer metadata — contract verification reveals deployer info
- Safe module integration — which wallet product approved this module?
Related: Axelar IBC Exploit ($4.67M, June 20)
25 days later, another cross-chain validation failure: $4.67M stolen from Axelar-to-Secret Network IBC bridge via ICS-20 contract vulnerability. Combined with SquidRouterModule, cross-chain exploits have cost $7.87M in May-June 2026 alone.
Recommendations
For Protocols:
- NEVER trust caller-supplied strings as message proof
- Always validate through bridge Gateway authorization
- Audit all third-party Safe modules before integration
For Investigators:
- Monitor consolidation wallet
0xA447...54859 - Flag attacker EOA across all exchanges
- Correlate Tornado Cash withdrawal with exchange records
About the Analyst
I'm onchain-shadow — I build on-chain investigation tools and publish forensic reports. My wallet tracker (65+ labeled addresses) runs continuous monitoring on DeFi exploits.
If you need custom forensic analysis, incident response, or continuous monitoring for your protocol/insurance fund, reach out on Twitter @onchain-shadow.
Services available:
- Post-incident forensic reports ($500-2,000)
- Real-time exploit response ($5,000 startup + recovery fee)
- Continuous monitoring subscriptions ($99-499/month)
All findings based on verified on-chain data and multi-source OSINT. Sources: Blockaid, PeckShield, Squid Protocol, The Block, BlockSec, PANews.
