Back

Exploit of Safe Wallet Module Leads to $3.2M Theft

Severity: High (Score: 68.2)

Sources: Bitget, cointelegraph.com, Kucoin

Published: 2026-05-25 · Updated: 2026-05-26

Keywords: module, safe, third-party, squid, exploit, drained, million

Summary

A vulnerability in the third-party module 'SquidRouterModule' exploited Safe wallets, resulting in a loss of $3.2 million. The attack affected at least 86 accounts on Ethereum and Base, with stolen tokens converted to Dai via Uniswap V3 pools. Blockchain security firm Blockaid reported that the exploit allowed attackers to impersonate authorized delegates, bypassing verification. Safe Labs CEO Rahul Rumalla indicated that the affected accounts were not operated on the official Safe Wallet product. The module had previously been flagged as malicious by Blockaid, which is part of Safe Shield's risk detection rules. The incident emphasizes the risks associated with third-party integrations in decentralized finance (DeFi) environments. Key Points: • A vulnerability in the SquidRouterModule drained $3.2 million from Safe wallets. • The exploit affected at least 86 accounts across Ethereum and Base networks. • Safe Labs confirmed that the affected accounts were not part of the official Safe Wallet product.

Detailed Analysis

**Impact** At least 86 Safe wallets across Ethereum and Base networks were compromised, resulting in a theft totaling approximately $3.2 million. The affected wallets were single-signature accounts that had integrated a third-party module named “SquidRouterModule” as a trusted Safe module. The stolen tokens were swapped to Dai (DAI) through attacker-controlled Uniswap V3 pools. The incident impacts users of Safe wallets who rely on third-party modules, with losses concentrated in DeFi sectors on these blockchains. **Technical Details** The attacker exploited a vulnerability in the third-party SquidRouterModule integrated into Safe wallets, allowing message forgery to bypass verification and impersonate authorized delegates. This enabled unauthorized token swaps and fund transfers from the targeted wallets. The exploited module shares its name with but is distinct from the Squid cross-chain protocol’s router contract. The attack occurred within approximately two hours, with stolen assets routed through Uniswap V3 pools controlled by the attacker. No specific CVEs or malware names were provided. **Recommended Response** Defenders should immediately audit Safe wallet modules for unauthorized or unverified third-party integrations, particularly the SquidRouterModule, and remove or block flagged malicious modules using Safe Shield or equivalent detection tools. Monitor for unusual token swap transactions, especially those involving Dai on Uniswap V3 pools. Users should avoid deploying or approving modules that have not been verified or flagged as safe. No patches are currently available; continuous monitoring of wallet module permissions and transaction approvals is advised.

Source articles (4)

  • Squid and Safe Labs say third-party module behind $3.2M exploit — Bitget · 2026-05-25
    A suspected third-party Safe module exploit has drained $3.2 million from wallets across Ethereum and Base, with multiple teams pointing to an external module as the cause. Blockchain security platfor…
  • Cointelegraph — cointelegraph.com · 2026-05-25
    A third-party module drained $3 million from Safe wallets, with Squid attributing the incident to an external Safe module, saying its core systems were unaffected. A suspected third-party Safe module…
  • The Squid security incident was caused by a vulnerability in the SquidRouterModule of Safe Wallet. — Kucoin · 2026-05-26
    Yu Xian, founder of SlowMist, posted on X to analyze the Squid security incident, stating that sampling revealed all related Safe wallets were single-signature, with different owners; however, the iss…
  • The Squid security incident was caused by a vulnerability in the Safe Wallet module. — Kucoin · 2026-05-26
    ChainCatcher report: Yu Xian, founder of SlowMist, posted on X to analyze the Squid security incident, stating that sampled analysis revealed all related Safe wallets were single-signature, with diffe…

Timeline

  • 2026-05-25 — Exploit reported by Blockaid: Blockaid disclosed that a vulnerability in the SquidRouterModule led to a $3.2 million theft from Safe wallets.
  • 2026-05-25 — Squid clarifies involvement: Squid stated the exploit was unrelated to its core protocol, clarifying that the issue was with a third-party module.
  • 2026-05-26 — Analysis by SlowMist founder: Yu Xian from SlowMist reported that the vulnerability allowed attackers to bypass verification and transfer funds from Safe wallets.
  • 2026-05-26 — Further analysis confirms exploit method: Yu Xian confirmed that the exploit was due to a vulnerability in the SquidRouterModule, affecting multiple wallets.

Related entities

  • Supply Chain Attack (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Safe (Company)
  • Base (Company)
  • Ethereum (Company)
  • Gnosis Safe (Company)
  • CWE-862 - Missing Authorization (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Basescan (Platform)
  • Safe Shield (Platform)
  • Safe Wallet (Platform)
  • SquidRouterModule (Platform)
  • Uniswap V3 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed