An exploit directed against a third-party component led to the unauthorized removal of approximately 3.2 million dollars from several digital wallets on May 25, 2026. The security breach directly impacted multiple addresses configured across the Ethereum and Base networks, completing the asset drain within an estimated two-hour timeframe, according to data analyzed and publicly shared by the Blockaid security platform.
🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base.
86 Gnosis Safes drained for ~$3M in ~2 hours.
All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools.
More details in 🧵— Blockaid (@blockaid_) May 25, 2026
The vulnerability was specifically located within an external smart contract labeled under the name SquidRouterModule module, a situation that initially caused uncertainty in the market due to its nominal similarity with a well-known cross-chain decentralized interoperability protocol.
This incident is unrelated to Squid’s core protocol and contracts. All Squid users and integrators are unaffected and no action is needed.
A third-party Gnosis Safe module was exploited today across Base and Ethereum, resulting in approximately $3.2M in losses. The vulnerable… https://t.co/I3gGmdBvE9
— squid (@squidrouter) May 25, 2026
Following the initial alerts linking the attack to the Squid Router infrastructure, the development team of that protocol issued an official clarification to dissociate their systems from the vulnerability vector. In a publication shared via a statement from Squid on the X platform, the organization confirmed that its core contracts and the official Router governing its standard operations did not experience any form of alteration or security compromise.
Technical representatives emphasized that the contract exploited by the attackers is a third-party development that implemented the same naming convention but does not share any lines of source code with the legitimate Squid protocol, thereby ruling out a supply chain failure in their core software.
Safe wallet operations and risk mitigation
To understand the mechanics of the compromise, it is necessary to examine the architecture of the affected wallets. Safe, the platform formerly known within the blockchain sector as Gnosis Safe, consists of a multi-signature wallet system that operates natively across various smart contract networks. Its design requires a pre-established minimum number of co-owners or authorized keys to explicitly approve each transaction before it can be executed and recorded on the distributed ledger.
However, this security structure can be extended through the use of optional modules, which are complementary smart contracts designed to grant an external code the capability to execute automated tasks on behalf of the main wallet without requiring continuous manual signatures for every single movement.
According to preliminary technical reports issued by digital forensic analysis firms, the attack was carried out due to a critical flaw in the design of the aforementioned third-party contract. This breach allowed the attacker to forge credentials or spoof the identity of delegates who held prior authorizations within the system, triggering a series of token swap instructions completely unauthorized by the actual owners of the funds. In total, the attacker managed to compromise a minimum of 86 Safe accounts within the recorded timeframe.
All digital assets extracted from the victims’ wallets were immediately transferred and swapped for the Dai (DAI) stablecoin, utilizing specific liquidity pools on the Uniswap V3 platform that were under the direct manipulation or control of the exploiting entity. These incidents show how attacks on DeFi directly impact institutional asset custody strategies by introducing unforeseen vectors through poorly integrated secondary tools.
The response from the core development entity of the multi-signature wallets provided additional details regarding the operational conditions of the breached addresses. Rahul Rumalla, chief executive officer of Safe Labs, publicly stated that the accounts damaged during the incident show no indications of being managed or created using the official interface or product provided by Safe Wallet. The CEO indicated that the exact deployment method, as well as the environment where these keys were administered, remains under technical investigation, though evidence points to them corresponding exclusively to custom integrations developed and implemented by external platforms or third-party applications connecting remotely to the Safe standard.
Additionally, Rumalla detailed the current capabilities of their defense systems to prevent interaction with potentially harmful software. The Safe Wallet architecture natively features a functionality called Safe Shield, specifically structured to monitor, detect, and alert users to the presence of modules or protection systems that are suspicious, malicious, or lack the corresponding security certifications on the network.
The executive confirmed that the automated detection modules of Safe Shield, which feed directly from threat rules and signatures developed by Blockaid, had already registered the third-party contract under the malicious software category before the mass theft of funds occurred on Monday on the Ethereum and Base networks. This means that users employing standardized interfaces had visible warnings regarding the danger.
As of the publication of this informative note, security teams from both organizations continue to cross-reference data to establish with total precision whether there are other wallets with similar permission configurations that could be exposed to future capital drains. Confirmation regarding the identity of the attacker’s wallet or whether on-chain analysis firms will manage to coordinate with centralized exchanges to freeze the funds converted to DAI remains pending. Investigations remain open to define the technical responsibilities of the third-party code involved.
This article is for informational purposes only and does not constitute financial advice.
