What caused the Safe wallet exploit that drained $3.2 million?

Blockchain security researchers said the exploit was linked to a third-party module called “SquidRouterModule” integrated into Safe wallets. Attackers reportedly abused broad execution permissions to trigger unauthorised token swaps across affected accounts.

Was the exploit caused by Squid’s core protocol?

No. Squid said the exploited contract only shared a similar name with its infrastructure and was not part of its core router system. The company described it as an externally integrated third-party module.

How much crypto was stolen in the Safe wallet exploit?

Researchers estimated roughly $3.2 million was drained from wallets across Ethereum and Base. The attack reportedly affected at least 86 Safe accounts within about two hours.

What is a Safe wallet module?

Safe modules are optional smart contracts that extend wallet functionality and allow approved code to execute actions on behalf of the wallet. While they add flexibility, poorly secured or malicious modules can also introduce additional attack risks.

Why are third-party wallet modules considered risky?

Third-party modules can receive broad permissions that allow them to move funds or execute transactions automatically. If vulnerabilities exist or permissions are abused, attackers may gain indirect control over wallet assets without compromising the wallet’s core infrastructure.

How did the attackers reportedly move the stolen funds?

Blockaid said the stolen tokens were swapped into Dai through attacker-controlled Uniswap V3 liquidity pools. Converting assets quickly into stablecoins is a common tactic used in crypto exploits.

Did Safe’s official wallet platform get hacked?

Safe Labs chief executive Rahul Rumalla said the compromised accounts did not appear to be managed through Safe’s official wallet product. He suggested the wallets were likely created through external integrations rather than Safe’s core platform.

What is Safe Shield and did it warn users before the exploit?

Safe Shield is a risk detection system designed to flag suspicious modules and wallet configurations. Rumalla said the exploited module had already been flagged as potentially malicious before the attack occurred.

Image for illustrative purposes only. Not a real photo.

Safe wallet exploit linked to third-party module

Written by Mahathir BayenaPublished May. 26 2026Last Updated May. 26 2026

A suspected exploit tied to a third-party Safe wallet module drained roughly $3.2 million from wallets across Ethereum and Base, according to blockchain security researchers.

Blockaid said the incident involved a contract labelled “SquidRouterModule,” initially raising concerns over a potential connection to cross-chain protocol Squid.

Squid later clarified that the exploited contract was not part of its core infrastructure and instead involved an externally integrated module sharing a similar name.

“A third-party SquidRouterModule was exploited, not Squid’s Router contract,”

Squid said in a statement posted on X.

The exploit reportedly affected at least 86 Safe wallet accounts over roughly two hours, with stolen assets swapped into Dai through attacker-controlled Uniswap V3 liquidity pools.

Researchers said the vulnerability may have allowed attackers to impersonate authorised delegates and execute token swaps through the module’s broad execution permissions within Safe smart accounts.

Safe Labs chief executive Rahul Rumalla said the affected accounts did not appear to be managed through Safe’s official wallet product and were likely created through external integrations.

Rumalla added that Safe’s “Safe Shield” protection system had already flagged the exploited module as potentially malicious before the incident occurred.

At the time of reporting, Ethereum price was $2,100.85.