Gnosis has moved to contain a security breach affecting its Gnosis Pay after attackers exploited a vulnerability in the Zodiac Delay Module. Co-Founder Martin Köppelmann confirmed the incident on X, saying the company will compensate all affected users.
The company asked bridge validators to pause related bridge activity as it worked to limit further damage. Köppelmann initially warned users about an active exploit, writing: “Unfortunately, there is a hack related to @gnosispay and the ‘delay module’. Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses.”
Additionally, he also clarified that an earlier message asking users to withdraw funds had been deleted. “Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole,” he said.
Anatomy of the Zodiac Delay flaw
Gnosis Pay functions by attaching self-custody crypto wallets to everyday consumer spending via a Visa-linked debit card system. To make this safe, the platform utilizes Safe wallet smart accounts enhanced by modular programming components.
One of these core layers is the Zodiac Delay Module, a smart contract modifier engineered to act as a security backstop. It forces a mandatory time delay between when an external transaction is initiated and when it actually executes on-chain. This buffer window is supposed to give defense protocols time to identify and veto unauthorized actions.
However, the attacker discovered an implementation flaw that completely flipped this security feature. The bug allowed the exploit tool to bypass verification gates and initiate outbound transactions directly from Safes that had the module turned on.
As the exploit unfolded, Köppelmann noted that most retail users would be locked out from executing manual defensive withdrawals. In response, Gnosis teams moved to freeze the protocol by coordinating with validator networks to shut down all outbound bridge paths, cutting off the attacker’s exit routes.
Delay module faces new scrutiny
At press time, Gnosis Pay has not yet released an estimate of the total losses from the security breach. The company has also not published a full technical report on how the exploit occurred. As a result, it remains unclear how many users or accounts were affected. The project said it is still investigating whether all malicious activity has been fully stopped.
The incident has also renewed attention on risks linked to smart contract-based payment systems. Gnosis Pay connects self-custody crypto wallets to everyday spending through a Visa-linked card system.
While this setup allows users to spend crypto in real-world transactions, it also means that weaknesses in permission controls or smart contract modules can expose users to financial risk.
Recent attacks add context
The latest incident comes after another security breach involving infrastructure linked to Gnosis Safe. In that earlier attack, hackers stole about $3 million from 86 Safe wallets across Ethereum and Base, according to blockchain security firm Blockaid. The firm said the exploit was tied to a vulnerable third-party module called SquidRouterModule.
Blockaid reported that attackers took advantage of a flaw in the module’s executeSameChainActions() function. This allowed them to act as trusted delegates and approve transactions without authorization. The stolen funds were then swapped into DAI using liquidity pools on Uniswap V3 controlled by the attackers.
Separately, Gnosis has recently taken a more active approach to recovering lost funds. In April, Gnosis Chain carried out a hard fork that recovered $9.4 million linked to the November 2024 Balancer hack. The recovered assets were moved into a DAO-controlled wallet, while the community debated how the funds should be distributed.
The incidents highlight ongoing challenges in balancing user protection, decentralization, and rapid incident response in crypto systems.
Also Read: Whitehat Hacker Unlocks $2M Stuck in 2016 Ethereum ICO Contract
