Back

Gnosis Pay Exploit Targets Delay Module, User Losses Expected

Severity: High (Score: 66.0)

Sources: help.gnosispay.com, Theblock.Co, Thedefiant

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: gnosis, safe, wallets, delay, module, exploit, self-custodial

Summary

Gnosis Pay, a self-custodial Visa debit card on Gnosis Chain, suffered an exploit affecting its delay module, which controls card accounts. Co-founder Martin Köppelmann confirmed the attack on June 1, 2026, but details on the amount stolen or number of affected accounts remain undisclosed. Gnosis has pledged to cover all user losses and is taking measures to contain the damage, including pausing cross-chain transfers. The exploit allows attackers to initiate transactions from Safe wallets with the delay module, undermining the security promise of self-custody. Blockchain security firm PeckShield has flagged the exploit, advising users to check their exposure. This incident follows a previous attack that drained $3 million from 86 Safe wallets across Ethereum and Base. Gnosis Pay's official account initially advised users to withdraw funds but later retracted that advice, stating that most users would not be able to do so. Key Points: • Gnosis Pay's delay module exploit allows unauthorized transaction initiation. • Gnosis has committed to reimbursing all user losses from the incident. • The exploit follows a previous attack that drained $3 million from other wallets.

Detailed Analysis

**Impact** Gnosis Pay users with Safe wallets connected to the Visa debit card service are affected by an exploit targeting the delay module, which controls transaction timing. The exact number of compromised accounts and total funds stolen remain undisclosed, though losses are expected. The incident impacts users globally who utilize Gnosis Pay’s self-custodial stablecoin spending solution. Gnosis has pledged to cover all user losses, mitigating direct financial harm but potentially affecting the broader Gnosis ecosystem token (GNO), which saw a 2.8% price decline. **Technical Details** The attacker exploited a vulnerability in the delay module of Gnosis Pay’s Safe smart accounts, which imposes a roughly three-minute delay on outgoing transactions to allow user intervention. This module is part of Zodiac, an open-source toolset for Safe-based accounts. The exploit enabled unauthorized transaction initiation from Safes with the delay module, bypassing the intended security delay. No CVEs or malware names were disclosed. The attack is distinct from a recent unrelated exploit involving the SquidRouterModule affecting other Safe wallets. **Recommended Response** Users should immediately check their exposure and withdraw funds where possible, particularly EURe and GNO tokens, as advised by security firms. Gnosis is working to contain the damage, including pausing bridge validators to limit cross-chain transfers. Defenders should monitor transaction activity on Safe wallets with the delay module and watch for unauthorized outgoing transactions. No specific patches or technical mitigations have been published; ongoing investigation updates from Gnosis are awaited.

Source articles (3)

  • 'Gnosis will cover all user losses' amid exploit related to Gnosis Pay, co — Theblock.Co · 2026-06-01
    Gnosis co-founder and CEO Martin Koppelmann confirmed Monday an active exploit related to Gnosis Pay involving the Zodiac delay module. "Unfortunately, there is a hack related to Gnosis Pay and the 'd…
  • Gnosis Pay Hit by 'Delay Module' Exploit as Gnosis Pledges to Cover User Losses — Thedefiant · 2026-06-01
    Gnosis Pay, the self-custodial Visa debit card built on Gnosis Chain that lets users spend stablecoins directly from their own Safe wallets , was hit by an active exploit targeting the "delay module"…
  • Safe wallets — help.gnosispay.com · 2026-06-01
    Gnosis Pay is a self-custodial payment system that allows you to spend stablecoins directly from your own Gnosis Safe wallet, giving you full control over your funds without needing to trust a third p…

Timeline

  • 2026-06-01 — Gnosis Pay exploit confirmed: Gnosis Pay's delay module was exploited, allowing unauthorized transactions from Safe wallets. The company pledged to cover user losses.
  • 2026-06-01 — PeckShield flags exploit: Blockchain security firm PeckShield warned Gnosis Pay users to check their exposure and withdraw funds where possible.
  • Recent — Previous attack reported: A separate incident drained $3 million from 86 Safe wallets across Ethereum and Base, unrelated to Gnosis Pay's delay module.

Related entities

  • Data Breach (Attack Type)
  • Gnosis (Company)
  • Base (Company)
  • Ethereum (Company)
  • Gnosis Safe (Company)
  • Safe (Company)
  • CWE-287 - Improper Authentication (Cwe)
  • gnosispay.com (Domain)
  • [email protected] (Email)
  • Gnosis Chain (Platform)
  • Gnosis Pay (Platform)
  • Visa Network (Platform)
  • SquidRouterModule (Platform)
  • Zodiac (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed