Written by Helen Partz , Staff Writer.Reviewed by Robert Lakin , Staff Editor.Written by Helen Partz , Staff Writer.Reviewed by Robert Lakin , Staff Editor.Squid and Safe Labs say third-party module behind $3.2M exploit
Latest NewsPublishedMay 25, 2026A third-party module drained about $3 million from Safe wallets, with Squid attributing the incident to an external Safe module, saying its core systems were unaffected.
A suspected third-party Safe module exploit has drained about $3.2 million from wallets across Ethereum and Base, with multiple teams pointing to an external module as the cause.
Blockchain security platform Blockaid reported the incident on Monday, saying it involved a contract labeled “SquidRouterModule,” which initially led to confusion over a possible link to the cross-chain protocol Squid.
Squid later said on X that the issue was unrelated to its core protocol and instead involved a third-party module integrated into Safe wallets.
“A third-party SquidRouterModule was exploited, not Squid’s Router contract,” Squid said, adding that the contract shares its name but not its code.
The incident highlights how a trusted wallet module can be used to move funds if it has been granted broad execution permissions within a smart account.
86 Gnosis Safes drained for $3 million in about two hours
Safe, formerly Gnosis Safe, is a multi-sign wallet running on multiple networks, which requires a minimum number of users to approve a transaction before execution.
It can also be extended with optional modules, which are smart contracts that allow approved code to execute actions on behalf of the wallet.
Related: DeFi hacks shake institutional confidence as risks outpace yields
According to Blockaid, the attack affected at least 86 Safe accounts within roughly two hours, with all stolen tokens swapped to Dai (DAI) via attacker-controlled Uniswap V3 pools.
Source: PeckShieldAlert
The suspected root cause is a vulnerability in SquidRouterModule, which allegedly allowed the attacker to impersonate authorized delegates and trigger unauthorized token swaps, Blockaid said.
Module attribution and Safe response
Safe Labs CEO Rahul Rumalla said the accounts “do not seem to be operated on official Safe Wallet product,” adding that it remains unclear how and where they were created and managed, likely created through externally deployed integrations.
Source: Rahul Rumalla
He said Safe Wallet surfaces such risks through “Safe Shield,” a feature designed to flag potentially malicious or unverified modules and guards before they are used. The CEO added that the exploited module had already been flagged as malicious by Blockaid, which is included in Safe Shield’s risk detection ruleset.
Cointelegraph approached Safe and its CEO for comment but did not receive a response by publication time.
Magazine: ETH bears growling, Tom Lee’s buying, XRP to ‘explode’: Market Moves
Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.More on the subject
‘TrapDoor’ malware targets crypto dev tools in supply chain attack11 hours agoMartin Young
StablR Euro and US dollar stablecoins depeg after $2.8M exploitMay 24, 2026Martin Young
70% of all crypto wrench attacks happen in France: ReportMay 23, 2026Vince Quill‘TrapDoor’ malware targets crypto dev tools in supply chain attack11 hours agoMartin YoungStablR Euro and US dollar stablecoins depeg after $2.8M exploitMay 24, 2026Martin Young70% of all crypto wrench attacks happen in France: ReportMay 23, 2026Vince Quill