News

$3.2M Safe Wallet Exploit Hits Users, Squid Clarifies Role

Bitcoin Fund Flow Ratio Hits Historic Lows: Reversal Ahead?

Ethereum Sentiment Turns Bearish as ETF Outflows Rise

Bitcoin Floor Pattern Emerged Across Eight Metrics, Alphractal Says

THORChain Releases Exploit Report, Cites GG20 Flaw

Hyperliquid Price Surges Above $50 Amid ETF-Driven Short Squeeze

× Vave CasinoVave Casino
CoinNewsspanCoinNewsSpan
Bitcoin

Bitcoin

$ 77,336.00

BTC (24h)

0.50%
Etherum

Ethereum

$ 2,115.62

ETH (24h)

-0.03%
BNB

Binance

$ 670.05

BNB (24h)

1.58%
XRP

XRP

$ 1.36

XRP (24h)

-0.30%
Web3 News

$3.2M Safe Wallet Exploit Hits Users, Squid Clarifies Role

Photo of Niharika DeshpandeCoinNewsSpan Niharika Deshpande Follow on X 9 minutes ago
3 minutes read
SquidRouterModule Exploit Drains 86 Gnosis Safes, $3M Swapped to DAI

Blockaid reported on social media platform X today, May 25, 2026 that hackers have carried out a coordinated attack against Squid’s SquidRouterModule on Ethereum and Base. The issue was not with Safe’s main wallet system, however, there had been a problem with an added extension that helps users move assets and execute transactions across different blockchains. Since these modules can act on behalf of a Safe wallet once approved, a hacked module can potentially steal funds from wallets that had it enabled.

According to the post made by Blockaid, around 86 Safe wallets were compromised within roughly two hours and losses have been estimated to be around $3.2 million. Reports suggest the attacker gathered the stolen funds into a wallet that held about 3.07 million DAI before moving or hiding the assets further. Blockchain tracking data from Etherscan also shows the wallet addresses believed to be connected to both the exploit activity and the main fund consolidation process.

How the Attack Unfolded

On-chain traces point to the attacker exploiting the module’s ExecutionFromModuleSuccess path, a code path that is intended to let an authorized module carry out actions for the Safe once it confirms a successful external operation. According to alerts, the drain operator executed calls for the malicious or exploited SquidRouterModule to transfer assets out of Safes that had explicitly granted the module permissions.

After the extraction, the attacker swapped the stolen tokens into DAI using Uniswap V3 pools under their control. Centralizing proceeds will reduce volatility and facilitate laundering or further mixing. The attacker’s active addresses currently show almost no ETH balance, suggesting rapid on-chain swapping and consolidation into the DAI holding wallet.

Squid Responds, Says Core Protocol and User Funds Remain Secure

SquidRouter has finally responded and highlighted that the exploit was not caused by Squid’s main protocol or router contracts. Instead, hackers targeted a third-party Safe module called “SquidRouterModule” that had a major security flaw.

The module allowed attackers to execute fake approved transactions and steal funds from affected wallets. Squid said its own systems, user funds, and integrations remain secure.

Who’s Affected and Why it Matters

This exploit may have affected the DAOs, crypto project treasuries, multisig wallets, and organizations that had enabled the module for cross-chain transactions. As stated above, Safe’s main wallet system itself was not hacked, the issue came from an added module connected to it.

These modules are designed to expand what Safe wallets can do, such as moving assets between blockchains more easily, but they also create extra security risks if something goes wrong.

There are a lot of people, treasury managers, crypto teams that are dependent on these tools, all because they make the cross-chain transfers faster and easier. The thing here is that once a module gets approved inside a Safe wallet then it gains powerful permissions.

Moreover, if they can manage to exploit the module, then they may be able to shift funds without having to attack the Safe wallet’s core system. This is something that can make suspicious activity harder to detect, especially when the attacks are fast-moving.

Security experts are now urging affected users to immediately remove or disable the SquidRouterModule from their Safe wallets. Wallet owners are also being advised to review recent transaction activity carefully for anything unusual and move remaining assets into wallets that do not have the compromised module enabled.

Projects and DAOs are also expected to notify community members, partners, and treasury contributors while coordinating emergency responses where possible.

As of now, investigators are trying to figure out the scale of the exploit and identify those who are responsible for this exploit. Blockchain data has already revealed wallet addresses connected to the attack and the movement of the stolen funds, but recovering crypto becomes much harder once assets are swapped, split across wallets, or mixed through other services.

The incident serves as another reminder that third-party crypto tools and integrations can become weak points even when the main wallet system remains secure. For organizations managing large treasuries, limiting permissions and carefully reviewing wallet extensions may help reduce future risks.

Photo of Niharika DeshpandeCoinNewsSpan Niharika Deshpande Follow on X 9 minutes ago
3 minutes read
Photo of Niharika DeshpandeCoinNewsSpan

Niharika Deshpande

Niharika, an editor at CoinNewsSpan, has been covering the crypto industry for the last four years. She specializes in breaking down complex blockchain topics into simple, easy-to-understand insights. She closely follows market trends, reports on breaking crypto developments. She also analyses emerging sectors within the crypto space. Her coverage includes blockchain innovations, crypto-regulations, DeFi trends, NFT ecosystem, Crypto ETFs and investment products.