SquidRouterModule Exploit Drains $3.2M From Secure Wallets

A 3rd-party module exploit focusing on Secure wallets drained $3.2 million throughout Ethereum and Base networks on Could 25, 2026. Blockchain safety agency Blockaid attributed the assault to a vulnerability within the ‘SquidRouterModule,’ which reportedly allowed the hacker to bypass pockets authorization protocols.

The exploit impacted at the very least 86 Gnosis Secure accounts inside two hours, with stolen belongings shortly swapped into DAI through attacker-controlled Uniswap V3 swimming pools. About 3.07 million DAI has since been consolidated right into a single pockets, in accordance with Blockaid’s report. Ethereum’s worth remained largely unaffected, buying and selling at $2,123.47 (+1.49% on the day).

How the Assault Labored

Blockaid’s evaluation revealed that the assault leveraged a flaw within the SquidRouterModule’s executeSameChainActions() operate. The operate reportedly used a publicly recognized fixed string to validate transactions, which allowed the attacker to impersonate trusted delegates and execute unauthorized token swaps. The vulnerability exploited overly broad execution permissions granted to the module by affected pockets customers.

Secure, previously often known as Gnosis Secure, is likely one of the most generally used multi-signature pockets options. Its modular structure permits customers to increase pockets performance with third-party sensible contracts, a function that may introduce safety dangers if deployed carelessly. This incident highlights the risks of granting broad permissions to unverified modules.

Squid and Secure Labs Reply

The exploit initially precipitated confusion because of its identify, which resembles the cross-chain protocol Squid. Squid shortly clarified on social platform X that it neither developed nor deployed the susceptible SquidRouterModule. “A 3rd-party SquidRouterModule was exploited, not Squid’s Router contract,” the group mentioned, emphasizing that the module shared its identify however not its codebase.

Secure Labs CEO Rahul Rumalla said that the affected wallets weren’t operated on the official Secure Pockets platform however reasonably by way of externally deployed integrations. He pointed to the platform’s “Secure Defend” function, which flags doubtlessly malicious modules, noting that Blockaid had already flagged the SquidRouterModule as dangerous earlier than the breach. Regardless of this, some customers had granted the module permissions, exposing their funds to the exploit.

Larger Image: Dangers in Composable Wallets

This assault underscores the dangers related to composable pockets extensions and third-party modules in decentralized finance (DeFi). Whereas modular architectures like Secure’s can enhance usability and adaptability, they will additionally function assault vectors if customers fail to vet integrations rigorously. Related exploits have surged in 2026, elevating considerations in regards to the safety of cross-chain protocols and pockets infrastructure.

For merchants and pockets customers, this incident is a reminder to make use of warning when enabling third-party modules, particularly these requiring in depth permissions. Secure’s built-in threat detection options, akin to Secure Defend, can assist mitigate dangers however are solely efficient if customers heed warnings and keep away from flagged modules.

What’s Subsequent?

As of now, neither Secure nor Squid has introduced plans for consumer compensation, and the identification of the attacker stays unknown. Blockchain sleuths will probably observe the stolen DAI within the coming weeks to watch any makes an attempt to launder the funds.

For Ethereum customers, the broader lesson is evident: whereas the ecosystem’s composability is a power, it comes with vital safety trade-offs. As DeFi and cross-chain exercise develop, so do the stakes—and the vulnerabilities.

Picture supply: Shutterstock