On 26 May 2026, users of Squid Router — the cross-chain liquidity protocol — began noticing something wrong with their Safe wallet balances. The amounts were moving. Not to addresses they had authorised. Not through transactions they had signed. Through a module they had never approved, deployed by a party nobody could identify, bearing the name of a protocol that immediately and emphatically said it had nothing to do with it.
By the time the drain was confirmed, approximately $3.2 million had left Safe wallets across multiple chains. Squid issued a statement describing the responsible contract as a "lookalike third-party module" — a separately deployed contract designed to appear affiliated with Squid Router's legitimate infrastructure. Safe Labs confirmed their core protocol was untouched. The module that did the damage was not theirs either. That left one question dominating every post-mortem discussion: whose was it?
As of publication, that question has no public answer. The deployer remains unknown. The module — SquidRouterModule — had been sitting in Safe's module ecosystem, apparently inactive, until it was not.
The Anatomy of a Module Attack
To understand how this happened, it is necessary to understand what Safe modules are and why they represent one of the most dangerous and underscrutinised attack surfaces in institutional DeFi. Safe — formerly Gnosis Safe — is the dominant multi-signature wallet infrastructure for on-chain institutional custody. Its modular architecture allows third-party developers to attach autonomous logic to a Safe wallet: automation rules, spending limits, cross-chain bridges, yield strategies.
A module, once enabled, can execute transactions against the Safe without requiring a fresh signature from every key holder. That is the feature. That is also the vulnerability. The module's authorisation is a one-time event — enabling it — after which it operates autonomously within whatever constraints it was programmed with. Or, in the case of a malicious module, without any constraints at all.
The SquidRouterModule was not a compromise of Safe's smart contract code, which has been audited and is correct. It was not a compromise of Squid Router's legitimate protocol. It was a separately deployed contract that exploited the trust users extend to named modules — and the fact that most Safe users never inspect the bytecode of what they enable.
What Made This Module Different From Legitimate Ones
The legitimate Squid Router integration with Safe uses verified, publicly attributed contracts. The SquidRouterModule that drained funds was deployed from an unverified address with no public affiliation to the Squid team. Its name was chosen to impersonate a trusted integration. Its bytecode contained drain logic that had no equivalent in Squid's legitimate codebase.
The module sat dormant — possibly for days or weeks — until the attacker determined the conditions were right. This dormancy period is deliberate. It defeats threshold-based monitoring that only fires on anomalous transaction patterns. A module that never transacts generates no alerts. Until it does.
Reconstruction: What Happened and When
SquidRouterModule contract is deployed from an unverified address. It is enabled as a module on target Safe wallets, likely through social engineering, phishing of Safe UI users, or exploitation of automated module-enabling flows in cross-chain bridge integrations.execTransactionFromModule() function — the privileged bypass that allows modules to transact without key-holder signatures. Approximately $3.2 million begins moving across chains to attacker-controlled addresses.The Repeating Pattern Nobody Is Solving
This is not the first time the Safe module ecosystem has been weaponised. Three months ago, the Bybit hack — $1.46 billion, the largest cryptocurrency theft in history — also exploited the gap between what Safe users see and what Safe modules actually do. In that case, it was the signing interface that was compromised. In this case, it is the module registry itself. The attack surface is different. The structural vulnerability is identical: Safe users extend trust to named integrations without verifying what those integrations are authorised to do on their behalf.
"We don't know who deployed this."— Squid Router, official statement, 26 May 2026
The statement is honest. It is also, from a risk management perspective, the most alarming thing a protocol can say about a contract bearing its name that just drained $3.2 million from users who trusted that name. The name was the attack. The trust was the vulnerability. The module was the instrument.
Why Standard Monitoring Failed
Every exchange and custodian running Safe wallets has monitoring infrastructure. Balance alerts. Transaction volume thresholds. Anomaly detection on outbound flows. None of it helped here, for the same reason it rarely helps in module attacks: the monitoring watches transactions. The module was enabled before any of those transactions occurred.
By the time the module called execTransactionFromModule(), the attack was already over in every meaningful sense. The damage was determined at the moment of module enablement, not at the moment of execution. Every alert that fired after the drain was an autopsy, not a warning.
| Detection Method | When It Fires | Result in This Attack |
|---|---|---|
| Balance alert | After drain | Autopsy — funds gone |
| Tx volume anomaly | After drain | Autopsy — funds gone |
| Outbound flow monitor | After drain | Autopsy — funds gone |
| Module enablement review | At enablement | Possible — if bytecode checked |
| Pre-mempool bytecode gate | Before any transaction | Intercept — drain prevented |
What QCA Detects — Before the First Drain
The module contract was detectable before a single wei moved.
QCA's quantum amplitude risk engine scores wallets and contracts across ten dimensions at the point of transaction signing — before broadcast to the mempool. When any of those dimensions returns an elevated signal, the gate fires. For the SquidRouterModule scenario, three dimensions would have triggered independently:
Bytecode Similarity Scoring — QCA computes a similarity score between a contract's bytecode and known-malicious patterns in the ForensicLedger corpus. A module with drain logic embedded in its bytecode produces a measurable bytecode divergence from legitimate Squid Router contracts. The legitimate Squid Router module and this contract are not the same bytecode. QCA knows the difference.
High-Risk Contract Interaction — Any transaction that routes through an unverified, non-audited contract address receives a dimension penalty. The SquidRouterModule is not in QCA's verified infrastructure registry. The moment a user attempts a transaction that routes through it, the high_risk_contract signal activates.
Wallet Rotation Resistance — If the draining wallet has prior forensic history — even across different addresses using the same biometric identity — QCA's nullifier-based amplitude evolution carries that signal forward. A fresh deployment address carrying old risk patterns does not escape detection through address rotation.
wallet_address: [Safe wallet with SquidRouterModule enabled]
contract_interaction: SquidRouterModule [UNVERIFIED]
bytecode_similarity_score: 0.74 [ELEVATED — diverges from legitimate Squid Router]
known_high_risk_contract: TRUE
risk_score: 7.9 / 10.0
risk_tier: HIGH
gate_decision: PRE_MEMPOOL_BLOCK
forensic_event: TX_HIGH_RISK_BLOCKED · ledger_hash: [on-chain anchor]
The Structural Question for Every Institution
The $3.2 million Squid module exploit is not the largest DeFi theft. It is not even the largest Safe-related incident of the past twelve months. But its mechanism — the rogue named module — is arguably the most replicable attack vector in the ecosystem. The barriers to execution are low. The module ecosystem is large and largely unaudited by users. The trust in protocol names is high. The inspection of module bytecode by end users is near zero.
Every institution running Safe wallets for custody has a version of this risk on their balance sheet right now. The question is not whether a rogue module has been enabled — the question is whether anyone would know before it fires. Most would not. The current industry standard is reactive monitoring: detect the drain after it starts, freeze what you can, write the post-mortem. The losses in that gap between detection and prevention compound every quarter.
If your Safe wallet has any third-party modules enabled, conduct an immediate audit: verify the deployer address of every module against the protocol's official documentation, compare bytecode hashes against the protocol's published contract addresses, and review the permissions each module holds against your execTransactionFromModule() guard conditions. A module you enabled three months ago under a familiar name may not be the contract you think it is.
The Lesson That Will Not Be Learned Quickly Enough
Squid Router did not build the module that drained $3.2 million from users who trusted Squid's name. Safe's core protocol did not fail. No private key was stolen. No multisig threshold was bypassed in the traditional sense. The attacker simply understood that in the Safe module ecosystem, a convincing name is worth more than a valid signature — and that the gap between module enablement and module execution is a window nobody is watching.
The Bybit hack was $1.46 billion. The SquidRouterModule drain is $3.2 million. The mechanism is different. The lesson is the same. On-chain trust is not self-enforcing. The blockchain records every transaction as valid if it is cryptographically correct. It does not record whether the human who initiated it understood what they were signing, what they were enabling, or who had already positioned themselves inside the system waiting for the moment they chose to act.
The gap between cryptographic validity and economic security is where every meaningful theft in this space has occurred. It is not a gap that will be closed by better multisig design or more auditors. It requires something that fires before the transaction is broadcast, reads what the contract actually does rather than what it is named, and blocks at the membrane between intent and execution. That is what pre-mempool risk gating is for. In this case — as in Bybit — it would have been enough.
See the Gate in Action —
Before a Transaction Reaches the Mempool
QCA's 10-dimension quantum amplitude engine evaluates wallet and contract risk at signing time, not settlement time. Bytecode similarity scoring, high-risk contract detection, and cross-wallet identity persistence — all before broadcast.