A suspected third-party Safe module exploit has drained about $3.2 million from wallets across Ethereum and Base, with multiple teams pointing to an external module as the cause.
Blockchain security platform Blockaid reported the incident on Monday, saying it involved a contract labeled “SquidRouterModule,” which initially led to confusion over a possible link to the cross-chain protocol Squid.
Squid later said on X that the issue was unrelated to its core protocol and instead involved a third-party module integrated into Safe wallets.
“A third-party SquidRouterModule was exploited, not Squid’s Router contract,” Squid said, adding that the contract shares its name but not its code.
The incident highlights how a trusted wallet module can be used to move funds if it has been granted broad execution permissions within a smart account.
86 Gnosis Safes drained for $3 million in about two hours
Safe, formerly Gnosis Safe, is a multi-sign wallet running on multiple networks, which requires a minimum number of users to approve a transaction before execution.
It can also be extended with optional modules, which are smart contracts that allow approved code to execute actions on behalf of the wallet.
According to Blockaid, the attack affected at least 86 Safe accounts within roughly two hours, with all stolen tokens swapped to Dai (DAI) via attacker-controlled Uniswap V3 pools.
Source: PeckShieldAlert
The suspected root cause is a vulnerability in SquidRouterModule, which allegedly allowed the attacker to impersonate authorized delegates and trigger unauthorized token swaps, Blockaid said.
Module attribution and Safe response
Safe Labs CEO Rahul Rumalla said the accounts “do not seem to be operated on official Safe Wallet product,” adding that it remains unclear how and where they were created and managed, likely created through externally deployed integrations.
Source: Rahul Rumalla
He said Safe Wallet surfaces such risks through “Safe Shield,” a feature designed to flag potentially malicious or unverified modules and guards before they are used. The CEO added that the exploited module had already been flagged as malicious by Blockaid, which is included in Safe Shield’s risk detection ruleset.
Cointelegraph approached Safe and its CEO for comment but did not receive a response by publication time.