Luisa Crawford
Might 25, 2026 15:52
A 3rd-party module exploit drained $3.2M from Protected wallets on Ethereum and Base. Squid and Protected Labs distance themselves from duty.
A 3rd-party module exploit concentrating on Protected wallets drained $3.2 million throughout Ethereum and Base networks on Might 25, 2026. Blockchain safety agency Blockaid attributed the assault to a vulnerability within the ‘SquidRouterModule,’ which reportedly allowed the hacker to bypass pockets authorization protocols.
The exploit impacted not less than 86 Gnosis Protected accounts inside two hours, with stolen belongings shortly swapped into DAI through attacker-controlled Uniswap V3 swimming pools. About 3.07 million DAI has since been consolidated right into a single pockets, based on Blockaid’s report. Ethereum’s worth remained largely unaffected, buying and selling at $2,123.47 (+1.49% on the day).
How the Assault Labored
Blockaid’s evaluation revealed that the assault leveraged a flaw within the SquidRouterModule’s executeSameChainActions() operate. The operate reportedly used a publicly recognized fixed string to validate transactions, which allowed the attacker to impersonate trusted delegates and execute unauthorized token swaps. The vulnerability exploited overly broad execution permissions granted to the module by affected pockets customers.
Protected, previously often called Gnosis Protected, is among the most generally used multi-signature pockets options. Its modular structure permits customers to increase pockets performance with third-party sensible contracts, a characteristic that may introduce safety dangers if deployed carelessly. This incident highlights the risks of granting broad permissions to unverified modules.
Squid and Protected Labs Reply
The exploit initially triggered confusion as a result of its identify, which resembles the cross-chain protocol Squid. Squid shortly clarified on social platform X that it neither developed nor deployed the weak SquidRouterModule. “A 3rd-party SquidRouterModule was exploited, not Squid’s Router contract,” the group stated, emphasizing that the module shared its identify however not its codebase.
Protected Labs CEO Rahul Rumalla acknowledged that the affected wallets weren’t operated on the official Protected Pockets platform however moderately by way of externally deployed integrations. He pointed to the platform’s “Protected Defend” characteristic, which flags probably malicious modules, noting that Blockaid had already flagged the SquidRouterModule as dangerous earlier than the breach. Regardless of this, some customers had granted the module permissions, exposing their funds to the exploit.
Larger Image: Dangers in Composable Wallets
This assault underscores the dangers related to composable pockets extensions and third-party modules in decentralized finance (DeFi). Whereas modular architectures like Protected’s can enhance usability and adaptability, they’ll additionally function assault vectors if customers fail to vet integrations rigorously. Related exploits have surged in 2026, elevating issues in regards to the safety of cross-chain protocols and pockets infrastructure.
For merchants and pockets customers, this incident is a reminder to make use of warning when enabling third-party modules, particularly these requiring intensive permissions. Protected’s built-in danger detection options, comparable to Protected Defend, might help mitigate dangers however are solely efficient if customers heed warnings and keep away from flagged modules.
What’s Subsequent?
As of now, neither Protected nor Squid has introduced plans for person compensation, and the id of the attacker stays unknown. Blockchain sleuths will probably observe the stolen DAI within the coming weeks to observe any makes an attempt to launder the funds.
For Ethereum customers, the broader lesson is evident: whereas the ecosystem’s composability is a power, it comes with important safety trade-offs. As DeFi and cross-chain exercise develop, so do the stakes—and the vulnerabilities.
Picture supply: Shutterstock
