Luisa Crawford
May 25, 2026 15:52
A third-party module exploit drained $3.2M from Safe wallets on Ethereum and Base. Squid and Safe Labs distance themselves from responsibility.
A third-party module exploit targeting Safe wallets drained $3.2 million across Ethereum and Base networks on May 25, 2026. Blockchain security firm Blockaid attributed the attack to a vulnerability in the ‘SquidRouterModule,’ which reportedly allowed the hacker to bypass wallet authorization protocols.
The exploit impacted at least 86 Gnosis Safe accounts within two hours, with stolen assets quickly swapped into DAI via attacker-controlled Uniswap V3 pools. About 3.07 million DAI has since been consolidated into a single wallet, according to Blockaid’s report. Ethereum’s price remained largely unaffected, trading at $2,123.47 (+1.49% on the day).
How the Attack Worked
Blockaid’s analysis revealed that the attack leveraged a flaw in the SquidRouterModule’s executeSameChainActions() function. The function reportedly used a publicly known constant string to validate transactions, which allowed the attacker to impersonate trusted delegates and execute unauthorized token swaps. The vulnerability exploited overly broad execution permissions granted to the module by affected wallet users.
Safe, formerly known as Gnosis Safe, is one of the most widely used multi-signature wallet solutions. Its modular architecture allows users to extend wallet functionality with third-party smart contracts, a feature that can introduce security risks if deployed carelessly. This incident highlights the dangers of granting broad permissions to unverified modules.
Squid and Safe Labs Respond
The exploit initially caused confusion due to its name, which resembles the cross-chain protocol Squid. Squid quickly clarified on social platform X that it neither developed nor deployed the vulnerable SquidRouterModule. “A third-party SquidRouterModule was exploited, not Squid’s Router contract,” the team said, emphasizing that the module shared its name but not its codebase.
Safe Labs CEO Rahul Rumalla stated that the affected wallets were not operated on the official Safe Wallet platform but rather through externally deployed integrations. He pointed to the platform’s “Safe Shield” feature, which flags potentially malicious modules, noting that Blockaid had already flagged the SquidRouterModule as risky before the breach. Despite this, some users had granted the module permissions, exposing their funds to the exploit.
Bigger Picture: Risks in Composable Wallets
This attack underscores the risks associated with composable wallet extensions and third-party modules in decentralized finance (DeFi). While modular architectures like Safe’s can improve usability and flexibility, they can also serve as attack vectors if users fail to vet integrations rigorously. Similar exploits have surged in 2026, raising concerns about the security of cross-chain protocols and wallet infrastructure.
For traders and wallet users, this incident is a reminder to use caution when enabling third-party modules, especially those requiring extensive permissions. Safe’s built-in risk detection features, such as Safe Shield, can help mitigate risks but are only effective if users heed warnings and avoid flagged modules.
What’s Next?
As of now, neither Safe nor Squid has announced plans for user compensation, and the identity of the attacker remains unknown. Blockchain sleuths will likely track the stolen DAI in the coming weeks to monitor any attempts to launder the funds.
For Ethereum users, the broader lesson is clear: while the ecosystem’s composability is a strength, it comes with significant security trade-offs. As DeFi and cross-chain activity grow, so do the stakes—and the vulnerabilities.
Image source: Shutterstock
Credit: Source link
