Third-party module exploit drains $3.2M from Safe wallets

Security firm Blockaid reported Monday that an exploited third-party module labeled “SquidRouterModule” drained about $3.2 million from at least 86 Safe wallets on the Ethereum and Base networks. The transfers took place over roughly two hours.

Blockaid’s on-chain tracing shows attackers performed unauthorized token swaps and converted all stolen assets to DAI using Uniswap V3 pools controlled by the attacker.

Blockaid identified a likely vulnerability in SquidRouterModule that allowed the attacker to impersonate authorized delegates and initiate swaps without wallet owners’ approval.

Squid posted on X that the exploited contract was a third-party module that shares its name with Squid’s Router but not its code, and that Squid’s core Router contract was not involved. The post stated: “A third-party SquidRouterModule was exploited, not Squid’s Router contract.”

Safe, formerly Gnosis Safe, is a multi-signature smart contract wallet that can be extended with optional modules, which can execute actions on behalf of a Safe when granted permission. Safe Labs CEO Rahul Rumalla stated the affected accounts “do not seem to be operated on official Safe Wallet product” and suggested they were likely created or managed through external integrations. He noted the exploited module had been flagged by Blockaid and added to Safe Shield’s detection ruleset.

On-chain watchers including PeckShield flagged suspicious activity related to the exploit. Investigators and security teams are tracing the funds and assessing the scope of the compromise. There has been no public report of centralized fund recovery.

It remains unclear how the attacker obtained the module permissions or how the vulnerable module was integrated into the affected Safes.