A third-party module attached to Safe smart wallets has been exploited overnight, draining roughly $3M across Ethereum and Base. The component, identified by on-chain investigators as the SquidRouterModule, was a router extension that some Safe users had installed to handle cross-chain swaps. The Safe core contracts themselves were not breached. The compromise sat one layer up, inside an opt-in module that held delegated authority to move funds.
Coin Bureau first flagged the incident in the early hours of May 26, 2026, describing the affected component as a "third-party SquidRouterModule tied to Safe wallets" that was exploited across Ethereum and Base. The $3M figure is preliminary and likely to move as more wallets are audited.
For context on the broader market backdrop, bitcoin is trading at $76,585 as of May 26, 2026, down 0.6% over 24 hours, and ether is at $2,088, down 0.4%, with the Fear and Greed index sitting at 39. The exploit is not large enough to push prices on its own, but it lands in an already cautious tape.
The breach sat one layer above Safe's core
Safe, formerly known as Gnosis Safe, is the most widely used smart contract wallet in the DAO and treasury world. Its core appeal is modularity: the base contract is conservative and audited, and users bolt on optional modules for specific functions like recovery, automation, or cross-chain routing.
The SquidRouterModule was one such add-on. Routers handle the choreography of swapping a token on one chain for a token on another, often through bridges and DEXs. To do that efficiently, a router needs permission to move funds out of the wallet. That permission is exactly what an attacker needs if the module is flawed.
In this case, the self-custody promise of Safe held. The core wallet logic did not fail. The failure was in code that users voluntarily attached and authorized.
The mechanics, as far as on-chain evidence shows
Early forensic posts point to the module's external call handling. A router module typically takes user instructions, forwards them to an external contract, and routes any returned funds back to the wallet. If the module does not strictly validate which external contract it talks to, or how returned funds are accounted for, an attacker can craft an instruction that effectively asks the module to send wallet assets to an address the attacker controls.
That pattern would be consistent with what investigators are seeing on Ethereum and Base. Funds moved out in batches, from multiple Safe wallets that shared the same module installation. The attacker did not need a private key. The module's delegated authority was enough.
This is the same class of risk that hit a number of protocol incidents over the past year where the perimeter was not the token contract itself but a routing or bridge component sitting one layer above it.
The structural damage outruns the $3M loss
$3M is small compared with the headline hacks of the cycle. The reason this incident still matters is structural.
First, Safe is critical infrastructure. It holds an outsized share of DAO treasuries, multisig operational funds, and high-value individual self-custody balances. Any narrative that "Safe was hacked," even when the core contracts are untouched, erodes trust in the broader smart wallet stack.
Second, modules are how Safe scales beyond a basic multisig. The product roadmap, and much of the developer ecosystem built around Safe, depends on modules being a safe place to extend functionality. Each high-profile module failure raises the bar for what users and DAOs are willing to install.
Third, the affected chains are Ethereum and Base. Base in particular has been positioned as the consumer-friendly L2 where retail users hold balances they would not otherwise put on mainnet. A drain that reaches Base wallets pulls retail directly into a story that has so far been mostly a treasury and power-user problem.
Practical steps for affected users
If you run a Safe and you ever installed a router module for cross-chain swaps, the immediate action is to open the Safe interface, review enabled modules, and disable anything you do not actively need. Modules can be added in a single transaction. They can be removed the same way.
Approvals also matter. Even after a module is disabled, any external contract that previously had spending allowances on your tokens still has them. Use an approval revocation tool to clear stale allowances on the chains where the affected module was active.
For DAOs and treasuries, the standard hygiene applies: audit the full module set on every operational Safe, document which signer authorized each module, and remove anything that is not strictly load-bearing. Module sprawl is its own attack surface.
Sources
Overview
A third-party SquidRouterModule attached to Safe smart wallets was exploited on May 26, 2026, draining roughly $3M across Ethereum and Base. The Safe core contracts were not breached; the failure sat in an opt-in router module that had delegated authority over wallet funds. The dollar figure is modest, but the incident reinforces a pattern: in modular smart wallets, the security boundary is not the wallet, it is the union of the wallet and every module a user has authorized. The fix is mechanical, audit enabled modules, revoke stale approvals, and remove anything not actively in use.
