Here’s how attackers drained $3.2M from Safe wallets on Ethereum and Base

What happened

On-chain analysis by Blockaid revealed that attackers successfully siphoned around $3.2 million by exploiting a flaw in a third-party Safe wallet module. The vulnerability lay within the `executeSameChainActions()` function of this specific module, not directly within Safe's core infrastructure. The attack involved deploying Foundry-based exploit contracts that abused the module’s `DelegateBundler` execution path. This allowed the attackers to impersonate authorised delegates linked to victim wallets.

Once the verification checks were bypassed, the attackers could initiate arbitrary swaps directly from the compromised Safe wallets. This circumvented the normal multi-signature approvals typically required by the Safe system. The stolen assets, including USDC, ENA, and USDT, were routed through Uniswap V3 liquidity pools and then converted into Dai. An attacker-created token, identified as “u,” was reportedly used in the process before liquidity was removed and proceeds converted.

Further investigation by SlowMist founder Cos suggested the exploit was not due to compromised private keys. Instead, the real weakness appeared to be in vulnerable wallet modules attached to these accounts. The issue stemmed from improper identity validation in the `SquidRouterModule`, which allowed malicious payloads to masquerade as approved delegates. Because modules can execute actions directly once granted permissions, these forged requests were reportedly accepted as legitimate instructions.

Safe Labs CEO Rahul Rumalla clarified that the compromised accounts do not appear to have been operated on the official Safe Wallet product. He suggested the affected wallets were likely deployed through external integrations rather than Safe’s official interface. Interestingly, Safe Shield, the company's built-in warning system powered by Blockaid, had already flagged this specific module as malicious prior to the exploit, underscoring the ongoing battle against sophisticated threats.

Why it matters for Australian investors

For Australian investors, this incident serves as a significant cautionary tale regarding the complexities of self-custody and the risks associated with third-party integrations in the DeFi ecosystem. While digital asset security is paramount, the distinction between a core protocol's security and the security of integrated modules can often be subtle, yet catastrophic if overlooked. Investors utilising multi-signature wallets or smart contract wallets need to understand the full scope of security implications, especially when granting permissions to external modules.

The sophisticated nature of this exploit – involving delegate impersonation and bypassing verification checks – highlights that even seemingly robust security frameworks can have vulnerabilities at their periphery. Australian investors should carefully vet any third-party protocols, integrations, or modules they connect to their wallets, regardless of whether they are using major Australian exchanges such as CoinSpot, Independent Reserve, Swyftx, or BTC Markets for primary trading, or venturing into the broader DeFi landscape.

Understanding the provenance and security audits of all components of their digital asset management strategy is crucial. While the Australian Taxation Office (ATO) provides guidance on crypto tax, and AUSTRAC focuses on financial crime prevention, individual investors bear the primary responsibility for the security of their assets. This incident further reinforces the need for due diligence beyond basic platform security, extending to every smart contract and module interacted with.

Impact on the AUD market

While the exploit itself did not directly target AUD-pegged stablecoins or Australian-specific platforms, its broader implications can subtly influence the AUD crypto market sentiment. Incidents of significant asset drainage, regardless of their direct geographic impact, can foster general risk aversion among investors. This might lead some Australian investors to temporarily withdraw funds from more experimental DeFi protocols, or to consolidate their holdings into more widely recognised and audited assets.

The primary assets stolen – USDC, ENA, USDT, and subsequently converted to DAI – are globally traded cryptocurrencies commonly accessible to Australian investors. A large-scale exploit involving these assets, even without direct AUD involvement, can still create ripples. It can affect the perceived stability of the wider crypto market, potentially impacting buying and selling pressures on AUD crypto pairs. While no immediate direct impact on AUD-denominated crypto prices or exchange operations at platforms like CoinSpot or Swyftx is expected purely from this incident, a sustained pattern of exploits could cool overall market enthusiasm.

Furthermore, such security breaches often prompt regulatory bodies worldwide, including potentially ASIC in Australia, to scrutinise the security practices within the crypto industry more closely. Increased regulatory attention, while often aimed at consumer protection, can introduce new compliance burdens for Australian crypto businesses and potentially shape how Australian investors interact with DeFi in the future.

What to watch next

Following this exploit, the crypto community will be keenly observing for several key developments. Firstly, further technical post-mortems and comprehensive security audits of the `SquidRouterModule` and similar third-party modules are anticipated. These analyses will be crucial for understanding the full extent of the vulnerability and for developing more robust security standards across the ecosystem. Australian investors should also look out for any updates from Safe Labs regarding their official wallet product’s resilience to such attack vectors, particularly concerning external integrations.

The response from various decentralised applications (dApps) and smart contract platforms that utilise modules will also be critical. We may see an industry-wide review of how permissions are granted to and managed by third-party modules, potentially leading to new best practices and clearer guidelines for users. For Australian investors, staying informed about these evolving security standards is paramount.

Finally, vigilance for similar exploitation attempts is always advised. Attackers often adapt their methods, and a successful exploit can sometimes inspire copycat attempts. Monitoring official security advisories from reputable blockchain security firms and platforms will be essential for all crypto participants, including those in Australia. Investors should remain cautious about connecting their wallets to unverified or newly launched modules, always prioritising security and conducting thorough due diligence.