Third-Party Module Identified as Culprit in $3.2M Wallet Drainage by Squid and Safe Labs

Third-Party Module Identified as Culprit in $3.2M Wallet Drainage by Squid and Safe Labs

Approximately $3 million was siphoned from Safe wallets operating on Ethereum and Base networks through a third-party module, according to Squid, which clarified that an unofficial external Safe module was responsible while its main infrastructure remained uncompromised.

An exploit believed to have targeted a third-party Safe module has resulted in the drainage of approximately $3.2 million from digital wallets spanning the Ethereum and Base networks, with several development teams attributing the breach to an externally developed module.

The incident came to light on Monday when Blockaid, a platform specializing in blockchain security, disclosed details about the attack, noting that it centered around a contract identified as "SquidRouterModule," which created initial uncertainty regarding a potential connection to Squid, the cross-chain protocol.

Subsequently, Squid clarified via its X account that the problem had no connection to its primary protocol infrastructure and was instead tied to a third-party module that had been integrated with Safe wallet systems.

"A third-party SquidRouterModule was exploited, not Squid's Router contract," Squid said, adding that the contract shares its name but not its code.

The security breach underscores the potential risks associated with trusted wallet modules, which can be exploited to transfer funds when they have been granted extensive execution permissions within smart account architectures.

86 Gnosis Safes drained for $3 million in about two hours

Safe, which was previously known as Gnosis Safe, operates as a multi-signature wallet solution deployed across various blockchain networks, implementing a requirement for a predetermined minimum number of users to authorize any transaction prior to its execution.

The platform also supports expansion through optional modules, which function as smart contracts enabling pre-approved code to carry out operations on the wallet's behalf.

Based on information from Blockaid, the assault impacted no fewer than 86 Safe accounts during an approximately two-hour window, with the entirety of the stolen digital assets being converted to Dai (DAI) through Uniswap V3 liquidity pools under the attacker's control.

The suspected underlying cause centers on a security flaw within the SquidRouterModule, which reportedly enabled the perpetrator to masquerade as authorized delegates and execute unauthorized token exchange transactions, according to Blockaid's assessment.

Module attribution and Safe response

Rahul Rumalla, who serves as CEO of Safe Labs, stated that the compromised accounts "do not seem to be operated on official Safe Wallet product," further noting that the method and location of their creation and management remains uncertain, with the likelihood being that they were established through externally deployed integration solutions.

According to him, Safe Wallet addresses these types of security concerns through "Safe Shield," a protective feature engineered to identify and alert users to potentially malicious or unverified modules and guards prior to their implementation. The CEO further emphasized that the compromised module had previously been marked as malicious by Blockaid, which forms part of Safe Shield's comprehensive risk detection ruleset.

Cointelegraph approached Safe and its CEO for comment but did not receive a response by publication time.