Safe Wallet Module Exploit Drains $3.2M from Ethereum and Base
L'essentiel
- A suspected third-party module exploit on Safe wallets has drained approximately $3.2 million in crypto assets from Ethereum and Base networks.
- The attack targeted a module named "SquidRouterModule," leading to confusion with the cross-chain protocol Squid, which clarified it was unrelated.
Résumé généré par IA
Pourquoi c'est important
A suspected exploit involving a third-party module within Safe wallets has led to the draining of approximately $3.2 million from user accounts across the Ethereum and Base networks. The incident involved a contract named "SquidRouterModule," which was integrated into Safe wallets and granted broad execution permissions.
A suspected third-party Safe module exploit has drained about $3.2 million from wallets across Ethereum and Base, with multiple teams pointing to an external module as the cause.
Blockchain security platform Blockaid reported the incident on Monday, saying it involved a contract labeled “SquidRouterModule,” which initially led to confusion over a possible link to the cross-chain protocol Squid.
Squid later said on X that the issue was unrelated to its core protocol and instead involved a third-party module integrated into Safe wallets.
“A third-party SquidRouterModule was exploited, not Squid’s Router contract,” Squid said, adding that the contract shares its name but not its code.
The incident highlights how a trusted wallet module can be used to move funds if it has been granted broad execution permissions within a smart account.
86 Gnosis Safes drained for $3 million in about two hours
Safe, formerly Gnosis Safe, is a multi-sign wallet running on multiple networks, which requires a minimum number of users to approve a transaction before execution.
It can also be extended with optional modules, which are smart contracts that allow approved code to execute actions on behalf of the wallet.
Related: DeFi hacks shake institutional confidence as risks outpace yields
According to Blockaid, the attack affected at least 86 Safe accounts within roughly two hours, with all stolen tokens swapped to Dai (DAI) via attacker-controlled Uniswap V3 pools.
Source: PeckShieldAlert
The suspected root cause is a vulnerability in SquidRouterModule, which allegedly allowed the attacker to impersonate authorized delegates and trigger unauthorized token swaps, Blockaid said.
Module attribution and Safe response
Safe Labs CEO Rahul Rumalla said the accounts “do not seem to be operated on official Safe Wallet product,” adding that it remains unclear how and where they were created and managed, likely created through externally deployed integrations.
Source: Rahul Rumalla
He said Safe Wallet surfaces such risks through “Safe Shield,” a feature designed to flag potentially malicious or unverified modules and guards before they are used. The CEO added that the exploited module had already been flagged as malicious by Blockaid, which is included in Safe Shield’s risk detection ruleset.
Cointelegraph approached Safe and its CEO for comment but did not receive a response by publication time.
Questions ouvertes
- How and where were the affected Safe accounts created and managed?
- What specific vulnerability in the SquidRouterModule allowed the attacker to impersonate authorized delegates?
- Will Safe implement further measures to prevent similar exploits in the future?
- What is the total number of users affected beyond the 86 identified accounts?
