On May 26, 2026, a seemingly "localized" module vulnerability brought the Safe wallet into the center of a security storm: the attackers targeted not the user private keys, but the SquidRouterModule module mounted in the Safe environment. Security agencies monitored that this module exploited flawed verification logic on chains like Ethereum and Base, allowing attackers to bypass original verification processes by forging messages and directly initiate malicious transactions from Safe addresses. The nature of the incident was clearly defined as a targeted security vulnerability exploit. Slow Mist founder Yu Xian immediately emphasized that the issue was not key leakage, but rather that the affected Safe addresses had activated the vulnerable SquidRouterModule, truly tearing apart the defense layer of modular extension. As the attack path was confirmed, the Saturn Foundation swiftly blacklisted the wallet addresses associated with the attackers and announced the freezing of stolen funds that had flowed into its system, while reaffirming that its contracts and infrastructure had not been breached. This step escalated the technical problem, originally perceived as a "single module incident," into a security alert that the entire modular wallet ecosystem must address head-on.

From Key Leakage to Module Breach: A Cognitive Reversal

When the incident was first noticed, the on-chain transfer paths were highly concentrated on a batch of Safe addresses. The most intuitive and habitual explanation was yet another key leakage: either users fell for phishing signatures or the custody environment was compromised. However, this familiar narrative was quickly overturned by Slow Mist’s analysis. Yu Xian directly pointed out, "The problem is not with the private keys; the issue lies in the vulnerability of the SquidRouterModule module used by these Safe addresses. Attackers can forge messages, easily bypassing the relevant verification," shifting the focus from user operations and key management to the third-party modules themselves mounted on the Safe.

Sampling results further substantiated this reversal: according to Slow Mist, all affected related Safe wallets were single-signature forms, with owner addresses independent from each other, showing no signs of the same private key being reused or synchronously leaked among multiple wallets. In routine security incidents, "single-sign + different owners" often implies that attack surfaces should be dispersed; however, in this attack, they were linked together by the same exploitation chain, with the only common point being their connection to the SquidRouterModule. It was this module that allowed attackers to forge messages in the Safe environment, bypassing the verification process that should have blocked abnormal operations, making malicious transactions possible. The focus of security concerns shifted from "did the user properly secure the private key" to "is the module code trustworthy enough to be entrusted with signing permissions."

The Hidden Minefield of Safe Modular Wallets Has Been Triggered

Safe (formerly Gnosis Safe) has almost become the industry default option for multi-chain multi-sign wallets in recent years. Many teams assume "security issues are mostly capped" once they migrate assets into Safe. However, Safe itself is just an account framework; what truly drives various "advanced plays" are the modules that can be mounted on it: once integrated, these modules can initiate operations on behalf of the account in specific scenarios, bringing automation and cross-chain routing convenience, while quietly expanding the exploitable attack surface—the user still sees the same Safe address, but the underlying code path is no longer that familiar core logic.

The SquidRouterModule, which has been named in this incident, is such a third-party module providing cross-chain routing capabilities for Safe accounts. The security agency Blockaid detected that the SquidRouterModule on both Ethereum and Base chains was subjected to similar attacks, with the vulnerability clearly appearing at the module level, not in the core contract of Safe itself; the Saturn Foundation also stressed that its contracts or infrastructure were not affected, and the problem concentrated on the interaction methods between specific modules and wallet combinations. All of this brings a harsh reality to the forefront: even if the core contract has passed audits and been validated by countless funds, modular wallets need similarly stringent code audits and integration standards when integrating third-party capabilities; otherwise, a "secure account" could be dragged into a risk-laden zone at any time due to a weak extension.

Multi-chain Vulnerability: Ethereum and Base Were Both Attacked

Almost simultaneously with the confirmation of the vulnerability, the security agency Blockaid raised the alarm on-chain: the SquidRouterModule on both Ethereum and Base, two mainstream networks, exhibited similar abnormal calls, pointing to the same exploit path. This indicates that the problem is not isolated to a single deployment or project environment, but rather an entire set of "Safe + SquidRouterModule" multichain combinations was compromised, naturally transcending chain boundaries, and is no longer a localized incident that can be blocked within a specific chain.

What makes it trickier is that the risk profile remains unclear. Public information contains neither the exact number of victim wallets nor the total scale of stolen funds; what Blockaid and various security teams can provide is merely a qualitative judgment of "multichain exploitation confirmed." Slow Mist's sampling analysis filled in a crucial detail: the affected addresses primarily consisted of single-signature Safes, with different owners, making the attack operationally "friendly" in terms of thresholds—once the attacker successfully leveraged the module to bypass verification, it equated to directly triggering the authorization effect of a single owner, without needing to tackle multi-signature coordination. In a multi-chain, multi-module stitching environment, once a module is reused across multiple chains, such structural risks with low thresholds and high diffusion become significantly amplified.

Saturn Blacklist in Effect: Stolen Funds Temporarily Locked

After the attack path was confirmed, the Saturn Foundation quickly chose to use permissions as a "backstop": blacklisting the wallet addresses associated with the attackers and announcing the freezing of stolen funds to prevent these assets from continuing to be transferred and used within the Saturn system. For assets that had already fallen under the attackers' control, this step was equivalent to temporarily raising a gate, locking the funds within Saturn's "walls," at least cutting off any further cashing out or transfer paths in the short term.

Alongside the freeze, an equally important statement was issued: Saturn emphasized that this incident did not directly impact Saturn's contracts or infrastructure itself, as the problem lay within the vulnerability of the SquidRouterModule module mounted in the Safe wallet environment, not in defects of Saturn's underlying infrastructure. The blacklist and freezing actions were a response after the fact rather than preventative measures, serving as a form of "self-certification" in the public opinion and trust domain—on one hand, it bought the victims a window of time for tracking and negotiation, partially repairing the protocol's reputation; on the other hand, it reminded the market that such freezing mechanisms have inherent boundaries: they are only effective when the assets remain within a controllable range of the Saturn system, and users must accept the premise that the protocol has such disposal rights in order to view this post-facto defense as a genuinely reliable safety option.

What Can We Do Before the Next Module is Exploited?

This time, the exploitation of the SquidRouterModule vulnerabilities has put a harsh fact on the table: even for a widely adopted wallet standard like Safe, once third-party modules are mounted, the overall risk profile is no longer equivalent to "original Safe," but is determined by the weakest module. For protocol parties and module developers, the next steps go beyond just fixing a hole; they must treat modules as first-class citizen security components—raising integration thresholds and audit standards, clearly disclosing threat models and permission boundaries before going live, promptly collaborating with security agencies like Slow Mist, Blockaid, etc., during incidents to establish monitoring, reporting, and emergency processes, and expeditiously delisting or disabling risky modules while synchronously patching progress. For ordinary users, each time a complex cross-chain module is enabled, it effectively adds another layer of partially visible attack surfaces to the assets. In light of the currently undisclosed specific amounts stolen, the number of affected wallets, technical details of the vulnerabilities, and patch statuses, a more cautious approach is to reduce unnecessary module permissions, particularly being prudent with functionalities like cross-chain routing, and closely monitoring subsequent announcements: whether the SquidRouterModule will be disabled or repaired, whether the Safe ecosystem will update module security standards, and whether Saturn and relevant security teams will release more complete analysis reports. This information, along with the final confirmed scale of losses, will collectively determine the impact level of this incident in the entire history of modular wallet development.

Join our community to discuss and become stronger together!
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
Exclusive Hyperliquid benefits for AiCoin: https://app.hyperliquid.xyz/join/AICOIN88
Exclusive Aster benefits for AiCoin: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。