A vulnerability in the SquidRouterModule — a third-party module integrated with Safe — let an attacker drain roughly $3.2 million from Safe wallets on Ethereum and Base this week. The exploit targeted users who had approved the module, siphoning funds before the attack was spotted. Both Squid, the team behind the module, and Safe Labs have publicly disclaimed responsibility, leaving affected users in limbo.
How the exploit worked
The SquidRouterModule is a cross-chain routing tool that Safe users could add to their wallets. An attacker found a way to abuse the module's permissions, withdrawing assets from wallets that had active approvals. The $3.2 million haul was split across Ethereum and Base — the two networks where the module was most active.
Who's taking the blame
Not Squid. Not Safe Labs. Both teams issued statements distancing themselves from liability. Safe Labs stressed that the module is third-party software, not part of the core Safe contract. Squid argued that the module itself wasn't compromised — the exploit came from how users interacted with it. The finger-pointing means no central party has stepped up to reimburse victims.
What users should check now
If you've ever approved the SquidRouterModule on a Safe wallet, your funds may still be at risk. The exploit is live and hasn't been patched — the attacker can strike again. Security researchers recommend revoking approvals for the module immediately and moving assets to a fresh Safe without the module enabled. The damage so far is $3.2 million, but that number could grow if users don't act.
The question of who will cover the losses — if anyone — remains unanswered.
