The team behind Zodiac has disclosed the vulnerability linked to the recent Gnosis Pay security incident, revealing that the issue stemmed from flaws in two Zodiac modules rather than the underlying Safe wallet infrastructure.
In a security update posted on X on June 2, Zodiac said the vulnerability affected Roles Modifier v2 and Delay Modifier v1.1.0 under a specific set of conditions. The disclosure follows a security incident that prompted Gnosis Pay to halt bridge activity while teams worked to contain unauthorized transactions.
Flaw limited to specific Zodiac configurations
According to Zodiac, the vulnerability only affected accounts where either the Roles Modifier v2 or Delay Modifier v1.1.0 module was enabled and where a Safe account using a vulnerable fallback handler had been assigned as a module or role member.
The team emphasized that the issue did not affect Safe smart contracts, Safe{Wallet} infrastructure, account recovery systems, or the Safe user interface. Zodiac also said other module configurations were not impacted.
The project stated that it had been working directly with affected users before publicly disclosing the issue and that more than 95% of identifiable affected accounts had already taken corrective action. Users with either module enabled were urged to review their configurations and apply the recommended mitigation steps.
Root cause linked to third-party modules
Following Zodiac’s disclosure, Safe Labs issued a clarification stating that the vulnerability originated in two third-party Zodiac modules rather than in Safe’s core infrastructure.
The organization reiterated that Safe smart contracts, wallet infrastructure, and user-facing systems were not affected. Safe Labs said it is coordinating with Zodiac, Gnosis, and members of the security community as response efforts continue.
Meanwhile, Co-Founder of Gnosis Martin Köppelmann said the newly disclosed vulnerability represents the root cause of the Gnosis Pay incident and noted that several projects beyond Gnosis Pay were affected. He added that teams had attempted to notify impacted projects privately before public disclosure.
How the exploit impacted Gnosis Pay
The vulnerability came to light after Gnosis Pay disclosed an active exploit involving the Zodiac Delay Module. Gnosis Pay connects self-custody crypto wallets to a Visa-linked payment card system using Safe smart accounts and modular security components. One of those components, the Zodiac Delay Module, is designed to impose a waiting period between transaction approval and execution, providing time to detect and block unauthorized activity.
Investigators found that the vulnerability allowed attackers to bypass intended security controls and execute transactions from affected Safes. As the exploit unfolded, Gnosis coordinated with bridge validators to pause bridge operations and limit further movement of funds.
At the time of the incident, Köppelmann said the company expected to contain most losses and pledged that affected users would be fully reimbursed.
Gnosis Pay begins recovery process
As response efforts continued, Gnosis Pay said on June 2 that the incident had been fully contained and that operations would begin resuming in phases starting Wednesday evening (GMT+2).
In a detailed X thread, the company said every user will receive a new card-linked Safe connected to their existing card and identity profile. For users affected by the exploit, the new Safe will be funded with the same balance that was held previously. Unaffected users will be required to migrate funds from their existing Pay Safe to the new account structure.
Gnosis Pay also said it plans to release additional details about the incident at a later date and warned users to remain vigilant against scammers and impersonators attempting to exploit the situation. The company stressed that team members would not contact users privately or request funds through direct messages.
Post-mortem expected
Zodiac said a full post-mortem will be published once the investigation is complete. The team apologized for the disruption caused by the incident and said it continues to assist affected users.
The disclosure provides the clearest explanation so far of the technical issue behind the Gnosis Pay exploit, while narrowing its scope to a specific combination of Zodiac modules and Safe account configurations rather than a broader flaw in Safe’s wallet infrastructure.
Also Read: Coinbase Backs Ethena as ENA Surges on Adoption Expectations
