Squid and Safe Labs Say Third-Party Module Behind $3.2M Exploit

Safe’s modular architecture, which lets users attach optional contracts to extend functionality, has been a selling point for institutional and retail crypto custodians. By design, a Safe wallet requires multiple signatures to approve a transaction, but modules can act with the wallet’s authority once installed. This flexibility also creates an attack surface: if a module is compromised or malicious, it inherits the wallet’s permissions, effectively bypassing the multi‑sig safeguard. The recent exploit demonstrates how a seemingly innocuous third‑party contract can become a conduit for large‑scale fund extraction.

Blockaid’s investigation traced the theft to a vulnerability in the SquidRouterModule, a contract that shares a name with the cross‑chain protocol Squid but contains unrelated code. The flaw allowed the attacker to masquerade as an authorized delegate, triggering token swaps that moved the stolen assets into attacker‑controlled Uniswap V3 pools and were quickly converted to stablecoin DAI. Within roughly two hours, 86 Safe accounts lost about $3.2 million, highlighting how quickly a module exploit can cascade across multiple networks when permissions are overly permissive.

The episode sends a clear signal to the broader DeFi ecosystem: reliance on third‑party extensions demands rigorous vetting and real‑time risk monitoring. Safe’s own Safe Shield feature had already flagged the module as malicious, yet users still deployed it, suggesting gaps in user awareness or in the enforcement of risk alerts. As smart‑account wallets gain traction among enterprises, providers must tighten module certification processes and educate users about the dangers of broad execution rights. For investors and developers, the incident reinforces the need to prioritize security‑by‑design, especially when integrating external code into high‑value custodial solutions.