A sophisticated exploit involving a suspected third-party smart contract module has drained approximately $3.2 million from various cryptocurrency wallets across the Ethereum and Base networks. Blockchain security firm Blockaid initially reported the incident, pointing to a contract labeled “SquidRouterModule” as the primary gateway for the theft. While the name immediately sparked confusion and concern among users of the popular cross-chain protocol Squid, the company was quick to distance its core systems from the attack, confirming that the breach stemmed from an external integration rather than its own native infrastructure.
The Mechanics of the Multi-Million Dollar Drain
The attack was both rapid and highly coordinated, compromising at least 86 Safe accounts in a narrow window of roughly two hours. Safe, formerly known as Gnosis Safe, operates as a highly trusted multi-signature wallet ecosystem across several blockchain networks. These wallets inherently require multiple user approvals before executing a transaction, but they also allow users to integrate optional smart contract modules to automate specific actions and approvals. In this particular incident, a severe vulnerability within the third-party SquidRouterModule granted the attacker dangerously broad execution permissions within the affected smart accounts.
According to security analysts at Blockaid, the underlying vulnerability allowed malicious actors to bypass standard security checks and impersonate authorized wallet delegates. Once they established this unauthorized access, the attackers rapidly triggered token swaps directly from the victims’ balances. All of the stolen digital assets were systematically swapped into the Dai stablecoin using attacker-controlled Uniswap V3 liquidity pools, successfully extracting the $3.2 million before the wallet owners could recognize the breach and revoke the module’s permissions.
Safe Labs and Squid Clarify the Exploit’s Origins
In the immediate aftermath of the multi-million dollar drain, both Safe Labs and Squid publicly clarified the situation to reassure their respective user bases. Squid explicitly stated that while the exploited contract shared the “SquidRouterModule” name, it did not utilize the protocol’s official code. The cross-chain platform emphasized that its native router contract remains completely secure, serving as a harsh reminder of the risks associated with granting extensive wallet permissions to unofficial, third-party extensions that merely borrow recognized names.
Safe Labs CEO Rahul Rumalla further detailed the scope of the incident, noting that the compromised accounts do not appear to have been operated through the official Safe Wallet product interface. Instead, they were likely created and managed through externally deployed third-party integrations. Rumalla pointed out that the official Safe Wallet relies on a built-in security feature called Safe Shield, which is specifically designed to flag unverified or potentially malicious modules before a user interacts with them. Notably, Blockaid’s risk detection ruleset, which helps power Safe Shield, had already flagged the exploited module as a verified threat prior to the attacks, underscoring the vital importance of utilizing active threat-detection tools when navigating the decentralized finance ecosystem.
