Industry

Delay Module Trick Costs GnosisPay $265K, Reports CertiK

Attackers abused a Delay module verification bug and EIP-1271 signature validation to drain funds from 41 GnosisPay Safes.

Written By:
Sharmistha Suman

Reviewed By:
Jahnu Jagtap
Delay Module Trick Costs GnosisPay $265K, Reports CertiK

Key Highlights

  • CertiK reported a $265,000 exploit targeting GnosisPay Safes on June 1.
  • Attackers exploited a signature-verification flaw in the Delay module.
  • The exploit affected 41 Safes and drained EURe and GNO tokens.

Blockchain security firm Certik has published a comprehensive analysis of a sophisticated exploit targeting GnosisPay Safes on the Gnosis Chain, which occurred on June 1, 2026. The attack resulted in the drainage of funds from dozens of safes, with total losses estimated at approximately $265,000 in EURe and GNO tokens.

According to Certik’s report, the exploit centered on a signature-verification flaw within the GnosisPay Delay module. This module is designed to add a security layer through time-delayed transaction execution, requiring signatures for authorization. However, the attacker exploited how the module’s moduleTxSignedBy() function parses r, s, and v values from the msg.data calldata.

Unfolding the attack 

The attack unfolded in carefully orchestrated stages. On May 29, the attacker first deployed 41 specialized attack contracts. These contracts were engineered to always return the EIP-1271 magic value when called via isValidSignature(), effectively impersonating legitimate signers without providing valid cryptographic proof.

The core exploitation occurred on June 1 at approximately 5:26 AM. The attacker invoked Delay.execTransactionFromModule(), crafting a complex msg.data payload. During verification in the moduleOnly() modifier, the function extracted signature components from the unparsed section of the calldata. 

The verification process traversed through a legitimate Biconomy Safe before reaching the attacker-controlled contract. By manipulating the r value, the system was tricked into accepting the malicious transaction. Although a static call to the attack contract technically reverted, the returned magic value was misinterpreted as valid authorization.

Following a mandatory cooldown period enforced by the Delay module, the attacker executed the queued transactions around 5:57 AM on the same day. Each transaction transferred EURe and GNO from victim Gnosis Safes directly to attacker-controlled wallets. In total, 41 such transactions were processed, systematically draining the affected accounts.

Certik’s report provides granular details on the technical root cause: improper handling of nested signature data in moduleTxSignedBy(), where the entire msg.data influenced verification rather than strictly the intended transaction parameters. This allowed the attacker to layer signatures, leveraging an intermediate Biconomy Safe and ultimately an always-compliant malicious contract.

Flow of funds in the attack 

Beyond the technical mechanics, fund flow analysis reveals the attacker’s post-exploit laundering efforts. The primary exploit wallet (0x81BA8A2b895D30280bca199C2Ff75f3F058d4C6c) bridged roughly $246,000 worth of USDT from Ethereum to the Hyperliquid network. 

Funds were subsequently routed to another address (0xb1834575349c6eb56675c35b4109c3d3a77dd2fc), where portions were swapped for Monero (XMR), a privacy-focused cryptocurrency often used to obscure trails.

Complexities in established protocols 

The GnosisPay incident serves as a stark reminder of the complexities involved in securing modular smart contract systems. Gnosis Safes, widely regarded for their multi-signature security features, were compromised not through direct key theft but via a subtle flaw in an integrated delay mechanism. This attack demonstrates how even established protocols can fall victim to advanced calldata manipulation and EIP-1271 signature validation bypasses.

Such incidents underscore the need for more rigorous auditing of interdependent modules and improved isolation between transaction data and signature verification logic. As DeFi continues to mature, projects must prioritize defensive programming patterns that guard against nested or malformed calldata attacks.

The exploit, while relatively modest in scale compared to some past DeFi hacks, illustrates the persistent cat-and-mouse game between security teams and adversaries. With blockchain ecosystems handling billions in value, incidents like this reinforce the critical importance of continuous security research and proactive vulnerability disclosure.

Also Read: Congress Eyes Sweeping Crypto Tax Reform Through Seven Drafts

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Sharmistha Suman - Crypto Journalist
By Sharmistha Suman
 
A crypto writer with a strong foundation in storytelling and digital media, Sharmistha holds a Bachelor’s degree in Creative Writing and a Master’s in Digital Journalism. Since entering the crypto industry in 2022, she has been actively covering developments across blockchain, digital assets, and emerging financial technologies. Her work focuses on breaking down complex topics into clear, engaging narratives, helping readers stay informed in a fast-evolving space.
Jahnu Jagtap - Crypto Research Analyst at The Crypto Times
By Jahnu Jagtap
Follow:

Jahnu Jagtap is a Research Analyst with over 5 years of experience in crypto, finance, fintech, blockchain, Web3, and AI. He holds a BSc in Mathematics and is certified in Blockchain and Its Applications (SWAYAM MHRD), Cryptocurrency (Upskillist), and NISM Certifications. Jahnu specializes in technical, on-chain, and fundamental analysis, while also closely tracking global macro trends, regulations, lawsuits, and U.S. equities. With a strong analytical background and editorial insight, he drives content that delivers clarity and depth in the fast-evolving world of digital finance.

Latest News

Bitcoin Touches Near 60k, Over 5% Down in Past 24Hrs
Bitcoin Touches Near 60k, Over 5% Down in Past 24Hrs
XRP Price Faces Triple Pressure as ETF Flows Turn Negative
XRP Price Faces Triple Pressure as ETF Flows Turn Negative
Grayscale Pushes Canton Coin ETF in New Filing With SEC
Grayscale Pushes Canton Coin ETF in New Filing With SEC
Congress Eyes Sweeping Crypto Tax Reform Through Seven Drafts
Congress Eyes Sweeping Crypto Tax Reform Through Seven Drafts
SpaceX IPO Excludes Chinese Investors, Leaving Crypto as the Only Alternative
SpaceX IPO Excludes Chinese Investors, Leaving Crypto as the Only Alternative

Find Us on Socials

You may also like