Image credit: Pexels
A third-party module tied to Safe smart accounts drained about $3.2 million from wallets on Ethereum and Base on May 25, while Squid and Safe Labs both said their core protocols and contracts were not breached.
Blockaid said the attack hit a contract labeled “SquidRouterModule,” which caused early confusion because the name resembled Squid’s branding.
Squid and Safe Deny Core Breach
Squid said the exploited contract was not built, deployed or operated by its team. The protocol said its core router and user funds were unaffected. Safe Labs also said the issue involved a third-party module named SquidRouterModule, not Safe’s core smart account contracts.
That distinction matters because the attack appears to have involved an external module that some wallets had enabled, rather than a flaw in Squid’s router or Safe’s base wallet system.
86 Safe Wallets Drained in Two Hours
Security researchers said the exploit affected at least 86 Safe wallets across Ethereum and Base over roughly two hours. The stolen assets were swapped through attacker-controlled Uniswap V3 pools and consolidated into about 3.07 million DAI.
Early technical analysis points to weak validation inside the enabled third-party module. Reports citing Blockaid said the flaw allowed the attacker to execute arbitrary calldata once the contract had been enabled as a trusted module on victim wallets. That means the affected wallets had already given the module a powerful role before the exploit was triggered.
3.07M DAI Consolidated After Swaps
The attacker moved quickly after the wallets were drained. Stolen assets were routed through Uniswap V3 pools controlled by the attacker before being consolidated into DAI.
That conversion helped simplify the stolen balance and made the exploit easier to track across Ethereum and Base. The incident shows how fast damage can spread when a wallet-level integration has execution permissions.
Third-Party Modules Became the Attack Surface
Safe modules extend wallet functionality, but they can also introduce serious risk. Safe’s developer documentation says enabled modules can execute transactions through a Safe and bypass normal signature verification logic.
That makes module security critical because a vulnerable or malicious add-on can become the real attack surface even when the base wallet remains intact.
For users and teams, the immediate lesson is narrow but important. The exploit appears limited to wallets that enabled the vulnerable third-party module. Still, it shows how integration risk can sit outside core contracts and expose wallets that trust external execution logic.
