Gnosis Pay Exploit Targets Delay Module, User Losses Expected
Severity: High (Score: 69.0)
Sources: Theblock.Co, Thedefiant, help.gnosispay.com, En.Bloomingbit, www.cryptopolitan.com
Published: · Updated:
Keywords: gnosis, safe, wallets, delay, module, exploit, self-custodial
Summary
Gnosis Pay experienced an exploit on June 1, 2026, affecting its delay module, which controls transaction permissions for users' Safe wallets. Co-founder Martin Köppelmann confirmed that the attacker could initiate transactions from wallets utilizing this module. Gnosis has pledged to cover all user losses, though the exact amount taken and number of affected accounts remain undisclosed. The exploit follows a recent incident where $3 million was drained from 86 Safe wallets due to a separate vulnerability. Gnosis is actively working to contain the damage and has requested bridge validators to pause operations to limit further losses. Blockchain security firm PeckShield has advised users to check their exposure and withdraw funds where possible. The incident highlights vulnerabilities in smart contract-based payment systems, emphasizing the need for robust security measures. Key Points: • Gnosis Pay's delay module exploit allows unauthorized transaction initiation from Safe wallets. • Gnosis has committed to reimbursing all affected users, though the extent of losses is still unclear. • This incident follows a previous exploit draining $3 million from 86 Safe wallets.
Detailed Analysis
**Impact** The exploit targeted Gnosis Pay users, specifically those with Safe wallets configured with the Zodiac Delay Module. The exact number of affected accounts and total funds lost have not been disclosed, but losses are expected to be significant enough for Gnosis to pledge full reimbursement. The incident impacts users spending stablecoins via Gnosis Pay cards, primarily involving EURe and GNO tokens. The attack also prompted a temporary halt of cross-chain bridge operations, affecting transaction flow across multiple chains. **Technical Details** The attacker exploited a vulnerability in the Zodiac Delay Module, a permission layer that queues transactions for approximately three minutes before execution, allowing initiation of unauthorized transactions from Safe wallets with this module. This module is part of Gnosis Pay’s smart contract wallet infrastructure built on Gnosis Safe. No CVEs or malware names were provided. The attack is distinct from a recent unrelated exploit involving the SquidRouterModule. Emergency containment includes pausing bridge validators to limit cross-chain fund transfers. **Recommended Response** Users should monitor their Gnosis Pay Safe wallets for unauthorized transactions and withdraw funds where possible, although withdrawal capability may be limited. Bridge validators and network operators should maintain the suspension of related bridging activities until the vulnerability is fully mitigated. Defenders should monitor for transactions initiated via the delay module and await Gnosis’s forthcoming technical updates and patches. No specific CVE-based patches or IOCs have been published to date.
Source articles (6)
- 'Gnosis will cover all user losses' amid exploit related to Gnosis Pay, co — Theblock.Co · 2026-06-01
Gnosis co-founder and CEO Martin Koppelmann confirmed Monday an active exploit related to Gnosis Pay involving the Zodiac delay module. "Unfortunately, there is a hack related to Gnosis Pay and the 'd… - Gnosis Pay Hit by 'Delay Module' Exploit as Gnosis Pledges to Cover User Losses — Thedefiant · 2026-06-01
Gnosis Pay, the self-custodial Visa debit card built on Gnosis Chain that lets users spend stablecoins directly from their own Safe wallets , was hit by an active exploit targeting the "delay module"… - Safe wallets — help.gnosispay.com · 2026-06-01
Gnosis Pay is a self-custodial payment system that allows you to spend stablecoins directly from your own Gnosis Safe wallet, giving you full control over your funds without needing to trust a third p… - Gnosis Co-Founder Says Losses From Exploit Are Being Contained, Seeks Halt to Bridge Activity — En.Bloomingbit · 2026-06-01
Gnosis co-founder Martin Köppelmann said the security incident involving Gnosis Pay was linked to a vulnerability in the Zodiac Delay Module. To prevent further losses, the Gnosis team has asked bridg… - Exploit hits Gnosis Pay, TesseraDAO loses $2.5M as June hacks start to climb — Bitget · 2026-06-02
The cryptocurrency industry has been plagued with a string of exploits that have renewed the debate whether or not AI-powered tools are helping exploiters discover vulnerabilities faster. Gnosis Pay,… - Cryptopolitan — www.cryptopolitan.com · 2026-06-02
The cryptocurrency market has already suffered from two separate exploits affecting Gnosis Pay and TesseraDAO in the first days of June, leading to the loss of millions. The cryptocurrency industry ha…
Timeline
- 2026-06-01 — Gnosis Pay exploit confirmed: An exploit targeting the delay module of Gnosis Pay was confirmed by co-founder Martin Köppelmann, affecting user transactions.
- 2026-06-01 — Gnosis pledges to cover user losses: Gnosis announced it would fully reimburse users affected by the exploit, although the total losses remain undisclosed.
- 2026-06-01 — PeckShield warns users: Blockchain security firm PeckShield alerted Gnosis Pay users to check their exposure and withdraw funds where possible due to the ongoing exploit.
- Recent — Previous exploit reported: A separate incident drained $3 million from 86 Gnosis Safe wallets due to a vulnerability in a third-party module.
Related entities
- Data Breach (Attack Type)
- Gnosis (Company)
- Base (Company)
- Ethereum (Company)
- Gnosis Safe (Company)
- Safe (Company)
- CWE-287 - Improper Authentication (Cwe)
- gnosispay.com (Domain)
- [email protected] (Email)
- Gnosis Chain (Platform)
- Gnosis Pay (Platform)
- Visa Network (Platform)
- SquidRouterModule (Platform)
- Zodiac Delay Module (Platform)
- Zodiac (Tool)