New Market Trading: The Missing Check That Drained 86 Wallets

86 crypto wallets. Two hours. $3.2 million gone. The code that made it possible was publicly readable on the blockchain the whole time.

86 Gnosis Safe wallets drained in two hours. The exploit code was public. Anyone who read it could have run the attack.

A Gnosis Safe is one of the most trusted wallet systems in crypto. Think of it as a high-security vault that requires multiple keyholders to agree before anything moves. Banks use them. DAOs use them. Serious protocols trust hundreds of millions of dollars to them.

The safety comes from the core design. But the safe itself can be extended with third-party plugins - modules that add new functionality. And that is where the problem was.

On May 25, 2026, blockchain security firm Blockaid detected an active exploit targeting something called the SquidRouterModule - a plugin built by a company called New Market Trading, whose CEO is Frank Hepworth. The module was designed to let users route cross-chain transactions more easily. It was verified on Basescan, which means its source code was publicly visible to anyone who looked.

Someone looked.

The bug was elementary. The SquidRouterModule used a function called executeSameChainActions() that was supposed to check who was calling it before allowing any action. Instead of doing a real verification, it accepted a caller-supplied constant string as proof of authorization. Any string. Provided by the attacker themselves.

In plain English: the lock on the door accepted any key you handed it, including one you made yourself five minutes ago.

The attacker seeded a wallet with 2.1 ETH from Tornado Cash - a privacy tool used to obscure the source of funds - and built Foundry-based exploit contracts to systematically trigger the vulnerability. The exploit ran across Ethereum and Base simultaneously.

Eighty-six Gnosis Safe wallets were drained in approximately two hours. USDC, USDT, and ENA were swept out and routed through attacker-controlled Uniswap V3 pools, where they were converted into DAI - a stablecoin that is easier to hold without triggering automated flags. The proceeds consolidated into a single wallet containing approximately $3.07 million DAI.

That wallet has not moved since.

The collateral damage hit a name that had nothing to do with any of this. Squid - the actual cross-chain routing protocol - issued a public statement within hours: "This incident is unrelated to Squid's core protocol and contracts. All Squid users and integrators are unaffected and no action is needed." Squid also confirmed that the SquidRouterModule "was neither developed, deployed, nor operated by them; the name was independently chosen by a third party when integrating with Squid."

Squid built a cross-chain bridge. New Market Trading built a plugin and named it after Squid. New Market Trading's plugin had a one-line bug. Squid had to spend a day convincing the internet it was not their fault.

QuillAudits put total losses from NMT-linked contracts at $3.78 million. The attacker reached out to Volo Protocol via on-chain message - an embedded note in a transaction - and received no response.

The module was verified on Basescan. That means the source code was publicly readable. Verification on a block explorer does not mean the code was audited. It does not mean it was tested. It means it was readable. The bug was in the readable code. Anyone who read it could have found the same thing.

$3.07 million DAI is sitting in one wallet. Nobody knows who holds it. There is no recovery mechanism, no compensation plan, and no legal action announced. The 86 wallets that were drained have no path to getting their money back.

New Market Trading reached out to the attacker via on-chain message. The attacker did not respond.