Gnosis Pay Delay Module Exploited; Project Pledges Refunds

Gnosis Pay’s shared “delay” module was exploited Monday, the project’s co‑founder Martin Köppelmann acknowledged, and the team pledged to reimburse users affected by the incident. Köppelmann wrote that the team is “actively working to contain the damage” and will “make users whole.”

The vulnerability involves a delay layer Gnosis Pay uses to schedule outgoing transactions for many smart contract wallets, known as Safes. Technical observers say the module queues transactions across multiple Safes, so an attacker who abuses that layer can insert malicious withdrawals into many users’ queues at once while individual private keys remain unchanged. Former protocol developer Vadim Zacodil observed that Gnosis Pay routes self‑custody through this shared delay layer, increasing the impact of a single exploit. He added that mitigation in practice depends on Gnosis’s ability to pause services and cover losses from its treasury.

Köppelmann initially urged users to withdraw funds. Security firm PeckShield amplified that warning and advised users to withdraw holdings such as EURe and GNO and to check their exposure. Köppelmann later deleted his initial post and revised guidance, saying most users would not be able to withdraw funds as the team worked to contain the incident. Gnosis has not published a full accounting of affected contracts or users.

Key details remain unclear, including the total amount taken, which contracts or individuals were affected, and whether the root cause is a flaw in the Zodiac delay module, an incorrect configuration inside Gnosis Pay, or a wider architectural issue. Gnosis has reiterated it will cover user losses but has not provided a timetable for reimbursements.

The exploit follows a separate recent incident in which a third‑party module, SquidRouterModule, was abused to drain about $3.2 million from roughly 86 Safes across Ethereum and Base. Those involved described that earlier vulnerability as lying outside core wallet protocols. Data from blockchain security firm CertiK showed total crypto exploit losses fell to about $68.3 million in May, down roughly 90% from April and marking the third month this year with losses under $100 million.

Initial guidance for Gnosis Pay users urged checking exposures and considering withdrawals, though official advice shifted as the team assessed the situation. Gnosis continues to work on containment and has pledged to reimburse affected users.