Image credit: Pexels
Gnosis is working to contain an exploit affecting its Gnosis Pay product after co-founder Martin Köppelmann said a bug in the payment system’s delay module allowed attackers to initiate transactions from affected Safe accounts.
Gnosis Pay said it is investigating and will share updates. Köppelmann said the company will cover user losses tied to the incident.
Delay Module Bug Hit Gnosis Pay Safes
The incident is sensitive because Gnosis Pay links self-custody Safe accounts to card spending. Public documentation says Gnosis Pay accounts use a Safe account modified by a Delay Module and a Roles Module.
The delay feature is designed to hold outgoing user-initiated transactions for three minutes so card settlements can complete on-chain. Köppelmann said the bug was related to the Zodiac Delay Module. He said an attacker could initiate transactions from Safes using the affected setup.
Köppelmann Urged EURe and GNO Withdrawals
In his initial warning, Köppelmann urged users to withdraw EURe and GNO. PeckShield later amplified the warning.
Köppelmann later said the team was working on containment and that most users would not be able to protect funds manually while response steps were underway.
Gnosis Has Not Disclosed Loss Total
Gnosis has not yet published a technical postmortem or confirmed the total amount drained. Reports on the incident said bridge validators were asked to pause activity as part of containment.
Gnosis has not disclosed how many accounts were affected or which exact contracts were exploited beyond the delay-module link.
Safe Core Contracts Not Reported Compromised
Current reporting points to the module layer used by Gnosis Pay, not a reported compromise of Safe’s core smart account contracts. That distinction matters for users because the issue appears tied to Gnosis Pay’s module setup rather than a broad Safe protocol failure.
Gnosis has not yet disclosed the total loss, the number of affected accounts or the exact exploit mechanics. The next update is expected to clarify whether the fault came from the Zodiac Delay Module, Gnosis Pay’s implementation of it or the surrounding account configuration.
