CRYPTO
Gnosis Pay Hack Turns Its Delay Safeguard Into a Backdoor
Gnosis Pay, the self-custody crypto card built by the team behind Gnosis Chain, spent Monday in emergency mode after attackers exploited its Zodiac delay module. Martin Köppelmann, Gnosis co-founder and chief executive, confirmed the hack on June 1, told cardholders to pull their EURe and GNO holdings, then deleted that advice and pledged that the company would cover every user loss.
Here is the uncomfortable part. The delay module was built as a safety feature, a timed checkpoint meant to give cardholders a window to cancel a suspicious transfer before it settles. In this exploit, the mechanism designed to stop theft is the one the attacker used to get in.
A Warning, a Deletion, Then a Pledge
The first alert went out fast, then changed shape within the hour. Köppelmann urged Gnosis Pay users to “withdraw all funds (EURe and GNO),” and PeckShield, a blockchain security firm, amplified the warning, telling users they were “strongly urged to withdraw all funds” and should check their exposure. For a product whose whole pitch is that you, not a company, control your money, it was an alarming thing to wake up to.
Then the co-founder reversed course. He deleted the withdrawal post, explaining that most users would not be able to move their money during the exploit anyway, and shifted the message from self-rescue to company rescue. Gnosis, he said, would contain what it could and reimburse the rest.
Behind the public posts, the team worked to choke off the attacker’s exits. Gnosis asked bridge validators to pause related activity, a step meant to slow any attempt to move stolen funds across chains, and a later update pinned the flaw to the Zodiac delay module specifically, with the co-founder noting the attacker could start transactions from any Safe carrying that module. The basics of the product sit on the Gnosis Pay self-custodial card program page.
- Köppelmann posts the first alert urging Gnosis Pay users to withdraw their funds.
- PeckShield amplifies the warning and tells users to check their exposure.
- The co-founder deletes the withdrawal post, saying most users cannot withdraw mid-exploit.
- Gnosis asks bridge validators to pause to limit cross-chain movement of funds.
- A follow-up update ties the bug to the Zodiac delay module and repeats the pledge to cover losses.
What the Delay Module Was Built to Do
To see why a safety feature could empty wallets, you have to look at how a Gnosis Pay account is wired. Each card is backed by a Safe smart account, the same kind of programmable wallet that secures a large share of the crypto industry’s on-chain assets, and the account’s powers come from add-ons rather than the base wallet. Gnosis Pay fits two of them from Gnosis Guild’s Zodiac toolkit: a Roles module that limits what the card is allowed to touch, and a Delay module that governs timing. The behavior of the timing piece is spelled out in the Zodiac delay modifier’s open-source design.
Letting the Card Pull Funds Without a Signature
A debit card has to settle in seconds. You cannot stop at a grocery till to sign a blockchain transaction every time you tap, so Gnosis Pay grants the card issuer a narrow, automated permission to pull stablecoins from your self-custody wallet and settle each purchase with Visa. The Delay module is the gatekeeper for that permission: an approved address queues a transaction, and the wallet executes it once a short cooldown has passed.
That design is what lets the card feel like an ordinary piece of plastic while the money stays in a contract you own. It also leaves a standing, pre-authorized channel out of your wallet, refreshed every time you spend. Most crypto theft needs your keys or your signature; this setup is built so the issuer can move your funds without either, and that convenience is exactly what the attacker found a way to ride.
The Veto Window That Was Supposed to Catch Theft
The cooldown does more than stall a transaction; it opens a built-in veto window. Zodiac’s own documentation describes the modifier as a tool that lets a Safe mark a queued transaction as invalid before it runs. During the wait, reported at around three minutes for Gnosis Pay, the owner is meant to spot an unauthorized transfer and cancel it in time.
That is the theory the exploit broke. According to Köppelmann, the bug let an attacker start transactions straight from Safes that carry the module, turning a checkpoint built to catch bad transfers into a way to launch them. A veto window only helps if the transactions sitting in the queue are ones you can see and stop.
Why Self-Custody Did Not Stop the Drain
Gnosis Pay sells one promise above all others: you hold the keys, and if the company vanished tomorrow, your money would still sit in a wallet only you control. That promise rests on the Safe smart account standard, one of the most widely used wallet systems in crypto. In this incident, none of it stopped the bleeding, and the private keys never even moved.
Vadim Zacodil, a former Near protocol core developer, laid out why. Gnosis Pay routes thousands of users’ self-custody through one shared delay layer that queues outgoing transactions from many Safes at once, so a bug in that layer can push malicious withdrawals into thousands of queues at the same moment, even though no single private key is ever stolen or signed away. The co-founder’s own reversal drove the point home: when he told users to withdraw and then took it back, the message underneath was that the exploit had already closed the manual exit.
Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole.
That was the Gnosis chief on X, walking back his own withdrawal advice. The line points to where the protection came from. What shielded cardholders that day came down to Gnosis’s treasury and its ability to pause infrastructure, the corporate backstop Zacodil said was doing the real work while the self-custody wallets sat exposed. A reimbursement promise is only as good as the balance sheet behind it, which puts a centralized guarantee at the heart of a product sold on decentralization.
Who Has Funds on the Line
The exposure is not abstract. Gnosis Pay is a self-custody Visa debit card that spends regulated stablecoins straight from a Safe wallet on Gnosis Chain, with EURe, a euro stablecoin, as its main spending asset. EURe is issued by Monerium, a licensed European electronic money institution (EMI, a regulated issuer of digital money), and the issuer’s own breakdown of how Gnosis Pay settles card payments with Visa shows the pull-from-your-wallet mechanics in detail. At risk are the EURe balances cardholders keep on hand to spend, plus the GNO, the Gnosis network token, that many hold to earn cashback.
- 80 million Visa merchants worldwide accept the card, the reach that made spending from a wallet attractive in the first place.
- Over 2 billion EURe has moved on-chain through Monerium, which calls it the most widely used euro stablecoin.
- More than $100 billion in assets sits in Safe smart accounts across the industry, the wallet standard underneath the card.
The appeal and the risk are the same feature. Bridging crypto into a tap-to-pay card means wiring an automated path from your wallet to a merchant, and Oton Technology has tracked how crypto payment rails are reaching new front ends across the sector. Every one of those conveniences is a permission you grant ahead of time, and a permission granted ahead of time is something an attacker can try to trip.
A Module Risk the Industry Keeps Hitting
This is the second time in days that a module bolted onto a Safe wallet has turned into an open door, capping a punishing stretch for crypto security. In late May, attackers drained about $3 million from 86 Safe wallets by abusing a third-party add-on called SquidRouterModule, according to blockchain security firm Blockaid, which found that weak identity checks let them act as trusted delegates and move funds without a single wallet signature.
| Incident | Date | Module exploited | How it worked | Reported scale |
|---|---|---|---|---|
| Gnosis Pay delay-module exploit | June 1, 2026 | Zodiac Delay (official card config) | Attacker could start transactions from any Safe carrying the module | No figure published; Gnosis pledged full reimbursement |
| SquidRouterModule exploit | Late May 2026 | SquidRouterModule (third-party) | Weak identity checks let attackers act as trusted delegates without signatures | About $3 million across 86 Safe wallets |
The thread connecting them is the trade-off at the heart of smart accounts. Every module that makes a wallet more useful also widens what it can be told to do, and the core Safe contracts can stay perfectly intact while a permission layer above them gets tricked into signing off on a drain. It echoes a lesson security teams keep relearning elsewhere, the way attackers abuse trusted credentials instead of breaking the core in enterprise systems, where the break-in rides a legitimate permission rather than a cracked lock.
For now, the size of the loss is unknown, no post-mortem has been published, and Gnosis and Gnosis Pay had not commented to reporters by Monday evening. If the company reimburses quickly and shows the flawed module has been neutralized, this stays a contained and expensive embarrassment. If the loss figure runs high or the fix drags, the scrutiny widens from one card to the module-based design that a growing list of crypto payment products now lean on.
Frequently Asked Questions
Should Gnosis Pay users withdraw EURe and GNO right now?
The co-founder first urged users to withdraw both assets, then deleted that advice, saying most people would not be able to move funds while the exploit was live. The current guidance is to watch official Gnosis Pay channels rather than rush a transaction that may not go through.
Will Gnosis reimburse users who lost money?
Yes. The co-founder said repeatedly that Gnosis will cover all user losses and make affected users whole. So far, the company has not published a final loss figure or a count of how many accounts were hit.
Is the Safe wallet itself compromised?
No. Gnosis said the flaw sits inside the Gnosis Pay delay-module setup, not in Safe’s core contracts. Safe spun out of Gnosis as a separate company in 2022 and remains the wallet standard securing the bulk of the funds involved.
What is the Zodiac delay module?
It is a Safe add-on from Gnosis Guild that enforces a timed cooldown between when a transaction is queued and when it executes. Gnosis Pay pairs it with a Roles module so the card can settle payments while leaving a short window to cancel suspicious transfers.
How did attackers move funds from self-custody wallets?
The bug let an attacker start transactions from any Safe carrying the delay module, so no private keys had to be stolen. Because many accounts share that delay layer, one flaw could queue withdrawals across thousands of wallets at once, according to developer analysis.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or security advice. Cryptocurrency platforms carry a real risk of loss from exploits and smart-contract bugs, so consult a qualified financial or security professional before acting on any holdings. Figures and statements are accurate as of publication on June 1, 2026, and the situation described remains developing.
Meta Secures Instagram Accounts After AI Chatbot Hack
Malaysia Enforces Under-16 Social Media Ban With Mandatory ID Checks
The EU’s Age Verification App Trades One Privacy Risk for Another
BigTrunk Bags Velvex National Digital and Social Mandate
Crypto Payments Shift Florida’s Gambling Revenue Math in 2026
Meta’s 13+ Teen Filters Go Global, Squeezing Ad Targeting
DeepSeek Takes $7.4 Billion After Years of Refusing Investors
Acer’s 1000Hz Gaming Monitors Hide a 720p Refresh Catch
Luna Abyss Shows What a Day-One Xbox Game Pass Slot Is Worth
netiBIO Wins Biomass Award as CBG Plants Chase Higher Yield
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Google AI Overviews Adds Subscribed Label, Reddit Quotes Inline
Asha Sharma Reshuffles Xbox Leadership In Race To Project Helix
Audible Faces Nationwide Class Action Over Expiring Credits
-
CRYPTO4 weeks agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO4 weeks agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS4 weeks agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
NEWS4 weeks agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
APPS4 weeks ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS4 weeks agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
NEWS4 weeks agoMetalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
-
AI4 weeks agoGoogle AI Overviews Adds Subscribed Label, Reddit Quotes Inline