$3.2M Vanishes in 2 Hours as Safe Wallet Module Exploit Drains 86 Crypto Vaults

Key Takeaways:

About $3.2M was siphoned from both the Ethereum and Base networks using a third-party Safe module exploit.
Attackers exploited 86 Safe wallets and swapped them for DAI.
Squid has confirmed that its core protocol, router contracts were not impacted.

A possible exploit in a third-party wallet module caused a company’s Safe assets to be drained over the past few hours, leading to millions of dollars in losses for all users. A third party wallet app vulnerability enabled a hasty hack that caused significant losses to users of Safe accounts across both the Ethereum and Base chains, with millions of dollars lost within hours.

The attacker exploited internal privileges to the module to conduct unauthorized token swaps and send profits to stablecoins, security researchers said.

86 Safe Wallets Drained in Coordinated Attack

Blockchain security firm Blockaid reported that attackers targeted a contract known as SquidRouterModule, affecting at least 86 Safe wallets in roughly two hours. The stolen assets were immediately swapped through attacker-controlled Uniswap V3 pools before being consolidated into approximately $3.07 million worth of DAI.

🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.

86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵

— Blockaid (@blockaid_) May 25, 2026

According to the investigation, the exploit likely originated from a flaw in the module’s executeSameChainActions() function. According to the attacker, they used custom exploit contracts to exploit the DelegateBundler mechanism of the module, enabling them to conduct transactions from the wallets of the victim by faking being an authorized delegate.

Once access was obtained, assets from each Safe were exchanged for a nearly worthless token called “u”, which had minimal market activity and only a small number of holders.

How the Swap Scheme Worked

Researchers believe the attacker created and funded Uniswap V3 liquidity pools pairing the fake token with legitimate crypto assets. Victim funds were swapped into the attacker-controlled token, enabling the exploiter to extract valuable assets while leaving wallets holding effectively worthless tokens.

Squid Distances Itself From the Exploited Contract

The incident initially sparked confusion because the compromised contract carried the name “SquidRouterModule.” But the cross-chain protocol Squid said the impacted contract was by others and not developed, deployed or operated by its team.

The design flaw that made the exploit possible, according to Squid, came from a third party smart-wallet module that assumed that a publicly visible constant string was sufficient to convey that something was secured.

Safe Labs Highlights Existing Security Warnings

Safe Labs CEO Rahul Rumalla said preliminary findings suggest the affected accounts were not operated through official Safe Wallet products. Rumalla also revealed that the compromised module had previously been identified as malicious by Blockaid and included within Safe Shield’s risk-detection framework.

This incident is a reminder of how vulnerabilities of external wallet extensions are increasing especially when they are granted broad powers of execution on users’ assets. The attack is a reminder that smart wallet security isn’t just about the smart wallet itself; it’s also about every module and integration that it’s connected to.

Keep checking CryptoNinjas.net for up-to-date crypto news resources and data-driven research on digital assets and blockchain adoption.

The post $3.2M Vanishes in 2 Hours as Safe Wallet Module Exploit Drains 86 Crypto Vaults appeared first on CryptoNinjas.