A suspected third-party Safe module exploit has drained about $3.2 million from wallets across Ethereum and Base.
Blockchain security firm Blockaid reported the incident Monday, linking it to a contract labeled 'SquidRouterModule.' This initially raised concerns about the cross-chain protocol Squid, but Squid clarified the issue was unrelated to its core protocol and involved a third-party module integrated into Safe wallets.
"A third-party SquidRouterModule was exploited, not Squid's Router contract," Squid stated, noting the contract shares its name but not its code.
The attack affected at least 86 Safe accounts within roughly two hours. All stolen tokens were swapped to Dai (DAI) via attacker-controlled Uniswap V3 pools.
The suspected root cause is a vulnerability in SquidRouterModule, allowing the attacker to impersonate authorized delegates and trigger unauthorized token swaps.
Safe Labs CEO Rahul Rumalla said the compromised accounts were likely created through externally deployed integrations and not operated on the official Safe Wallet product. He noted that Safe Wallet surfaces such risks through 'Safe Shield,' which flags malicious or unverified modules. The exploited module had already been flagged as malicious by Blockaid.
