SquidRouterModule Exploit Drains $3.2M From Safe Wallets

A 3rd-party module exploit focusing on Secure wallets drained $3.2 million throughout Ethereum and Base networks on Might 25, 2026. Blockchain safety agency Blockaid attributed the assault to a vulnerability within the ‘SquidRouterModule,’ which reportedly allowed the hacker to bypass pockets authorization protocols.

The exploit impacted not less than 86 Gnosis Secure accounts inside two hours, with stolen property shortly swapped into DAI by way of attacker-controlled Uniswap V3 swimming pools. About 3.07 million DAI has since been consolidated right into a single pockets, in line with Blockaid’s report. Ethereum’s worth remained largely unaffected, buying and selling at $2,123.47 (+1.49% on the day).

How the Assault Labored

Blockaid’s evaluation revealed that the assault leveraged a flaw within the SquidRouterModule’s executeSameChainActions() perform. The perform reportedly used a publicly recognized fixed string to validate transactions, which allowed the attacker to impersonate trusted delegates and execute unauthorized token swaps. The vulnerability exploited overly broad execution permissions granted to the module by affected pockets customers.

Secure, previously often called Gnosis Secure, is among the most generally used multi-signature pockets options. Its modular structure permits customers to increase pockets performance with third-party good contracts, a characteristic that may introduce safety dangers if deployed carelessly. This incident highlights the hazards of granting broad permissions to unverified modules.

Squid and Secure Labs Reply

The exploit initially brought about confusion as a consequence of its identify, which resembles the cross-chain protocol Squid. Squid shortly clarified on social platform X that it neither developed nor deployed the susceptible SquidRouterModule. “A 3rd-party SquidRouterModule was exploited, not Squid’s Router contract,” the workforce mentioned, emphasizing that the module shared its identify however not its codebase.

Secure Labs CEO Rahul Rumalla acknowledged that the affected wallets weren’t operated on the official Secure Pockets platform however somewhat by means of externally deployed integrations. He pointed to the platform’s “Secure Protect” characteristic, which flags probably malicious modules, noting that Blockaid had already flagged the SquidRouterModule as dangerous earlier than the breach. Regardless of this, some customers had granted the module permissions, exposing their funds to the exploit.

Greater Image: Dangers in Composable Wallets

This assault underscores the dangers related to composable pockets extensions and third-party modules in decentralized finance (DeFi). Whereas modular architectures like Secure’s can enhance usability and adaptability, they will additionally function assault vectors if customers fail to vet integrations rigorously. Related exploits have surged in 2026, elevating considerations concerning the safety of cross-chain protocols and pockets infrastructure.

For merchants and pockets customers, this incident is a reminder to make use of warning when enabling third-party modules, particularly these requiring in depth permissions. Secure’s built-in threat detection options, resembling Secure Protect, might help mitigate dangers however are solely efficient if customers heed warnings and keep away from flagged modules.

What’s Subsequent?

As of now, neither Secure nor Squid has introduced plans for person compensation, and the identification of the attacker stays unknown. Blockchain sleuths will possible observe the stolen DAI within the coming weeks to observe any makes an attempt to launder the funds.

For Ethereum customers, the broader lesson is evident: whereas the ecosystem’s composability is a power, it comes with important safety trade-offs. As DeFi and cross-chain exercise develop, so do the stakes—and the vulnerabilities.

Picture supply: Shutterstock