SquidRouterModule Exploit Drains $3.2M From Protected Wallets

A 3rd-party module exploit concentrating on Protected wallets drained $3.2 million throughout Ethereum and Base networks on Might 25, 2026. Blockchain safety agency Blockaid attributed the assault to a vulnerability within the ‘SquidRouterModule,’ which reportedly allowed the hacker to bypass pockets authorization protocols.

The exploit impacted not less than 86 Gnosis Protected accounts inside two hours, with stolen property rapidly swapped into DAI by way of attacker-controlled Uniswap V3 swimming pools. About 3.07 million DAI has since been consolidated right into a single pockets, in keeping with Blockaid’s report. Ethereum’s worth remained largely unaffected, buying and selling at $2,123.47 (+1.49% on the day).

How the Assault Labored

Blockaid’s evaluation revealed that the assault leveraged a flaw within the SquidRouterModule’s executeSameChainActions() operate. The operate reportedly used a publicly identified fixed string to validate transactions, which allowed the attacker to impersonate trusted delegates and execute unauthorized token swaps. The vulnerability exploited overly broad execution permissions granted to the module by affected pockets customers.

Protected, previously generally known as Gnosis Protected, is likely one of the most generally used multi-signature pockets options. Its modular structure permits customers to increase pockets performance with third-party sensible contracts, a function that may introduce safety dangers if deployed carelessly. This incident highlights the hazards of granting broad permissions to unverified modules.

Squid and Protected Labs Reply

The exploit initially induced confusion resulting from its identify, which resembles the cross-chain protocol Squid. Squid rapidly clarified on social platform X that it neither developed nor deployed the susceptible SquidRouterModule. “A 3rd-party SquidRouterModule was exploited, not Squid’s Router contract,” the group stated, emphasizing that the module shared its identify however not its codebase.

Protected Labs CEO Rahul Rumalla acknowledged that the affected wallets weren’t operated on the official Protected Pockets platform however fairly by way of externally deployed integrations. He pointed to the platform’s “Protected Protect” function, which flags probably malicious modules, noting that Blockaid had already flagged the SquidRouterModule as dangerous earlier than the breach. Regardless of this, some customers had granted the module permissions, exposing their funds to the exploit.

Greater Image: Dangers in Composable Wallets

This assault underscores the dangers related to composable pockets extensions and third-party modules in decentralized finance (DeFi). Whereas modular architectures like Protected’s can enhance usability and adaptability, they will additionally function assault vectors if customers fail to vet integrations rigorously. Related exploits have surged in 2026, elevating issues concerning the safety of cross-chain protocols and pockets infrastructure.

For merchants and pockets customers, this incident is a reminder to make use of warning when enabling third-party modules, particularly these requiring in depth permissions. Protected’s built-in danger detection options, akin to Protected Protect, will help mitigate dangers however are solely efficient if customers heed warnings and keep away from flagged modules.

What’s Subsequent?

As of now, neither Protected nor Squid has introduced plans for consumer compensation, and the identification of the attacker stays unknown. Blockchain sleuths will probably monitor the stolen DAI within the coming weeks to watch any makes an attempt to launder the funds.

For Ethereum customers, the broader lesson is obvious: whereas the ecosystem’s composability is a energy, it comes with vital safety trade-offs. As DeFi and cross-chain exercise develop, so do the stakes—and the vulnerabilities.

Picture supply: Shutterstock