🚨 86 Safe wallets were drained in 2 hours through a module-level execution flaw.

A SquidRouterModule exploit reportedly hit Safe accounts across Ethereum and Base, draining roughly $3.2 million before funds were consolidated into DAI.

WHAT HAPPENED:

Attackers abused missing identity validation in SquidRouterModule and used a Foundry-based exploit contract to call the DelegateBundler route.

The result:

• 86 Safe accounts affected

• USDC, ENA, and USDT drained

• Assets swapped through attacker-seeded Uniswap V3 pools

• Around 3.07 million DAI consolidated after laundering steps

LAUNDERING FLOW:

The attack path shows clear pre-planning:

→ Tornado Cash-funded attacker EOA

→ Exploit execution across Safe wallets

→ Liquidity manipulation through worthless “u” token pools

→ DAI conversion

→ Relay.link and NEAR Intents Bridge movement attempts

Key addresses to monitor:

• Attacker EOA: 0x9bdc730183821b6bb2b51be30b77c964fa645b91

• DAI hub: 0xa447f71782135ab96a71374271a749ff7aa54859

• Unknown 90 ETH wallet: 0xe12e0f117d23a5ccc57f8935cd8c4e80cd91ff01

CHAINBOUNTY ANALYSIS:

This was not a simple wallet drain. It targeted Safe execution infrastructure and abused delegated transaction pathways at scale.

The Tornado Cash funding, attacker-seeded liquidity pools, and rapid DAI consolidation suggest a prepared operation rather than opportunistic theft.

The current priority is a freeze-versus-bridge race. If the 3.07 million DAI hub has not exited to centralized venues, blacklist coordination may still reduce recovery loss.

PROTECT YOURSELF:

• Revoke SquidRouterModule permissions on Safe wallets immediately

• Review delegated module routes connected to treasury execution

• Monitor DAI consolidation wallets before funds move through bridges or swap aggregators