QuantChainAnalysis/Intelligence/Squid Router · SquidRouterModule · 26 May 2026
DeFi Exploit Safe Module Attack · Unknown Deployer 26 May 2026 · 9 min read

'We Don't Know Who Deployed This.'
$3.2 Million Was Already Gone.

A module impersonating Squid Router drained $3.2 million from Safe wallets while every on-chain monitor watched in silence. Nobody deployed it. Nobody authorised it. And until the money was already moving, nobody knew it existed.

Stolen
$3,200,000
Attack vector
Rogue Safe Module
Deployer
Unknown
← Back to Intelligence

On 26 May 2026, users of Squid Router began noticing something wrong with their Safe wallet balances. The amounts were moving, not to addresses they had authorised, not through transactions they had signed, but through a module they had never approved, deployed by a party nobody could identify, bearing the name of a protocol that immediately said it had nothing to do with it. By the time the drain was confirmed, approximately $3.2 million had left Safe wallets across multiple chains. As of publication, the deployer remains unknown. The module, SquidRouterModule, had been sitting in Safe's module ecosystem, apparently inactive, until it was not.

// Squid Router Official Statement, 26 May 2026

"We don't know who deployed this." This is the most alarming thing a protocol can say about a contract bearing its name that just drained $3.2 million from users who trusted that name. The name was the attack. The trust was the vulnerability. The module was the instrument.

The Anatomy of a Safe Module Attack

Safe, formerly Gnosis Safe, is the dominant multi-signature wallet infrastructure for on-chain institutional custody. Its modular architecture allows third-party developers to attach autonomous logic to a Safe wallet: automation rules, spending limits, cross-chain bridges, yield strategies. A module, once enabled, can execute transactions against the Safe without requiring a fresh signature from every key holder. That is the feature. That is also the vulnerability. The module's authorisation is a one-time event, after which it operates autonomously, within whatever constraints it was programmed with. Or, in the case of a malicious module, without constraints at all.

What Made This Module Different

The legitimate Squid Router integration with Safe uses verified, publicly attributed contracts. The SquidRouterModule that drained funds was deployed from an unverified address with no public affiliation to the Squid team. Its name was chosen to impersonate a trusted integration. Its bytecode contained drain logic that had no equivalent in Squid's legitimate codebase. The module sat dormant, possibly for days or weeks, until the attacker activated it. This dormancy period is deliberate: it defeats threshold-based monitoring that only fires on anomalous transaction patterns. A module that never transacts generates no alerts.

SquidRouterModule Attack (Reconstructed Timeline)
  • Unknown: Pre-attack
    SquidRouterModule deployed from an unverified address. Enabled as a module on target Safe wallets, likely through social engineering, phishing of Safe UI users, or exploitation of automated module-enabling flows in bridge integrations.
  • Unknown: Dormancy
    Module sits enabled but inactive. No suspicious transactions. No alerts. Its presence in wallet module lists goes unnoticed. Standard monitoring tools generate no signals.
  • 26 May 2026: Activation
    Module activates. Calls execTransactionFromModule(), the privileged bypass allowing modules to transact without key-holder signatures. $3.2M begins moving across chains to attacker-controlled addresses.
  • 26 May 2026: Discovery
    Squid disavows. Issues statement: "We don't know who deployed this." Safe Labs confirms core protocol is untouched. Drain is already complete. Deployer identity unknown.
  • Ongoing
    On-chain forensics underway. Funds traced to distribution addresses. Deployer identity remains unknown. Module ecosystem trust severely damaged across both Squid and Safe user bases.

Why Standard Monitoring Failed

Every exchange and custodian running Safe wallets has monitoring infrastructure: balance alerts, transaction volume thresholds, anomaly detection on outbound flows. None of it helped here, because the monitoring watches transactions. The module was enabled before any of those transactions occurred. By the time execTransactionFromModule() was called, the attack was already over in every meaningful sense. The damage was determined when the module was enabled, not when it was activated. The activation was the finalisation.

The Repeating Pattern

This is not the first time the Safe module ecosystem has been weaponised. The Bybit hack, at $1.46 billion, also exploited the gap between what Safe users see and what Safe modules actually do. In that case, the signing interface was compromised. Here, it was the module registry itself. The attack surface is different. The structural vulnerability is identical: Safe users extend trust to named integrations without verifying what those integrations are authorised to do.

"Standard monitoring watches transactions. Safe module attacks are won before the first transaction. The activation event, enabling the module, is the moment everything was already decided."

Praveen Giri, Founder · QuantChainAnalysis
Attack ComponentDetection by Standard ToolsQCA Pre-Mempool Gate
Module deployment (unknown address)None, not monitoredDeployment from unverified address flagged; no association with Squid
Module enablement on Safe walletsNone, treated as routine user actionUnverified module enablement flagged for review
Dormancy periodNone, no transactions to monitorModule in watchlist; activation triggers immediate gate evaluation
execTransactionFromModule() drainDetected after settlement, too lateBlocked in mempool before confirmation, anomalous module execution pattern
// QCA Pre-Mempool Analysis (Reconstructed)

The drain transaction carried a signature no legitimate Safe module ever produces.

The execTransactionFromModule() call that initiated the drain was submitted to the mempool before confirmation. At that point, QCA's gate would have evaluated: the calling module is unverified, with no publicly attributed deployer, bearing a name mismatched to its on-chain registration, executing a full-balance transfer to an address with no prior relationship to the affected wallets. This is not a legitimate module execution pattern.

8.92
/ 10.00 (HIGH RISK)
GATE DECISION: PRE-MEMPOOL BLOCK
  • Module deployer: unverified, no public attribution, impersonation pattern
  • execTransactionFromModule() full-balance sweep, zero precedent for this module
  • Destination: no prior interaction with affected Safe wallets
  • Dormancy → high-value activation pattern: consistent with pre-planned drain logic
OUTCOME: Drain transaction refused. $3.2M stays in Safe wallets. Deployer still unknown, but the module never executes. Patent pending DE 10 2026 001 732.7.