Skip to content
Est. MMXXVIVol. VI · № 282RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 278Smart Contract Bug

New Market Trading SquidRouterModule Exploit

A confused-deputy access-control flaw in New Market Trading's third-party SquidRouterModule let an attacker drain roughly $3.8 million from 88 Gnosis Safe wallets across Ethereum, Base, and Arbitrum.

Date
Victim
New Market Trading
Chain(s)
EthereumBaseArbitrum
Status
Funds Stolen
Attribution
0x9bdc730183821b6bb2b51be30b77c964fa645b91

On May 25, 2026, New Market Trading lost approximately $3.8 million when an attacker exploited a broken access-control check in its custom Gnosis Safe module, SquidRouterModule. In under 15 minutes, 88 user Safes were drained across Ethereum, Base, and Arbitrum — and anyone who read the verified contract could have done it.

What happened

The module suffered a classic confused-deputy vulnerability. SquidRouterModule inherited expressExecuteWithToken() from Axelar's gateway interface — a function built for relayers, not vault execution — and placed no additional access control behind it. A second check, hasPermission(safe, delegate, APPROVE), ran a real registry lookup but sourced the delegate address from the caller's own payload rather than from msg.sender. The attacker simply read the public contract, copied the expected constant string, encoded a real delegate address from an open on-chain registry, and called the function that had sat unguarded for roughly three months. The 2.1 ETH used to seed the operation was withdrawn from Tornado Cash. Proceeds were consolidated across the three chains via Relay and sent as roughly 3.07 million DAI to an attacker wallet on Ethereum.

Aftermath

New Market Trading's CEO publicly confirmed the exploit and offered the attacker a 10% bounty for returning the funds, with a deadline of May 30. Squid distanced itself from the incident, clarifying that the vulnerable contract — verified on Basescan under the name "SquidRouterModule" — was a third-party smart-wallet product that had integrated Squid but was "not built, deployed, or operated by Squid," and that Squid's core protocol and users were unaffected.

Why it matters

The New Market Trading drain is a textbook confused deputy: a privileged function trusted attacker-supplied data in place of msg.sender, the same class of authorization bug behind many of the catalogue's smart-contract exploits. It also underlines a recurring integration-risk lesson — a third party reused a recognizable name and wired itself into established protocols, so the blast radius and reputational damage landed partly on Squid despite its contracts being untouched. For Gnosis Safe users, the takeaway is blunt: a custom module is unguarded attack surface with full asset authority, and a public, verified contract gives an attacker the exact recipe.

Sources & on-chain evidence

  1. [01]quillaudits.comhttps://www.quillaudits.com/blog/hack-analysis/new-market-trading-exploit
  2. [02]rekt.newshttps://rekt.news/newmarkettrading-rekt
  3. [03]crypto.newshttps://crypto.news/blockaid-flags-3m-squidroutermodule-exploit-across-86-safes/
  4. [04]beincrypto.comhttps://beincrypto.com/squid-disowns-3-2m-squidroutermodule-exploit/

Related filings