Safe Wallet Module Exploit Drains $3.2M from 86 Accounts
A vulnerable third-party module, SquidRouterModule, was exploited to drain $3.2M from 86 Safe accounts on Ethereum and Base. The attacker swapped stolen funds to DAI; Blockaid and Safe Labs are investigating, noting the module was flagged as malicious.
Quick Take
86 Safe accounts drained for $3.2M via SquidRouterModule vulnerability.
Attacker impersonated delegates to trigger unauthorized token swaps.
Stolen tokens converted to DAI using attacker-created Uniswap V3 pools.
Safe Labs says module was not part of official Safe Wallet and was flagged by Safe Shield.
Market Impact Analysis
BearishExploit highlights risks in smart contract wallets, potentially dampening confidence in DeFi infrastructure and causing short-term caution.
Speculation Analysis
Key Takeaways
- $3.2 million drained from 86 Safe accounts via a third-party module vulnerability.
- The SquidRouterModule allowed attackers to impersonate delegates and force unauthorized token swaps.
- Stolen tokens were immediately converted to DAI through attacker-controlled Uniswap V3 pools.
- Safe Labs confirmed the module was not part of the official wallet and had been flagged as malicious.
What Happened
A third-party module integrated into Safe wallets was exploited, draining $3.2 million from 86 accounts on Ethereum and Base. Dubbed SquidRouterModule, the vulnerable code allowed an attacker to impersonate authorized delegates and trigger unauthorized token swaps. Blockchain security firm Blockaid reported the incident on Monday, noting the swaps were executed via attacker-controlled Uniswap V3 pools. All stolen tokens were converted to DAI. Safe Labs CEO Rahul Rumalla clarified that the affected accounts were not operated on the official Safe Wallet product, and the module had already been flagged as malicious by Safe Shield.
The Numbers
The attack drained $3.2 million from 86 separate Safe accounts in roughly two hours. Every stolen token was swapped to DAI using Uniswap V3 pools created by the attacker, making tracing and recovery difficult. The SquidRouterModule, a non-official extension, had been granted broad execution permissions, enabling the swift theft. Safe Shield’s risk detection had already flagged the module as malicious, but the accounts were likely managed through external integrations bypassing these warnings.
Why It Happened
The exploit traces to a vulnerability in the SquidRouterModule that allowed delegate impersonation. Safe wallets are extensible through modules—smart contracts that can execute actions on behalf of the wallet. When granted excessive permissions, as in this case, a flawed module becomes a direct attack vector. The incident underscores the risks of unaudited third-party code in modular account systems. Even with warning mechanisms like Safe Shield, users operating through custom frontends may remain exposed.
Broader Impact
The breach shakes confidence in smart contract wallet infrastructure. For institutional and individual users alike, the event highlights the danger of trusting external modules without rigorous auditing. Safe’s reputation may face short-term pressure, and DeFi platforms could see increased scrutiny over third-party integrations. The industry must prioritize transparent module verification and user education to prevent similar exploits.
What to Watch Next
- Investigations by Blockaid and Safe Labs into the exact attack path and whether other modules share the same flaw.
- Potential regulatory attention on wallet security standards and mandatory module auditing.
- Market reaction from DeFi protocols relying on Safe’s infrastructure, including possible outflows or calls for enhanced security.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
