Key Highlights
- Gnosis Pay has restored normal card operations for more than 99% of users following a recent security incident.
- The company replaced all affected Safe accounts and linked them to users’ existing physical and virtual cards.
- The exploit stemmed from a vulnerability in the Delay Module, allowing attackers to initiate unauthorized transactions.
Gnosis Pay, the self-custodial Visa debit card service built on Gnosis Chain, today announced that card services have returned to normal operations for more than 99% of its users following a major security incident earlier this month.
In an official update shared via X on Saturday, the company confirmed that every Gnosis Pay Safe has been replaced with new ones integrated with users’ existing physical and virtual cards to bolster account security. The update comes days after a vulnerability in the platform’s “Delay Module,” part of Gnosis’s Zodiac toolset for Safe smart accounts, was exploited.
This module was designed to impose a short delay (approximately three minutes) on outgoing transactions to give users time to react to potential unauthorized activity. However, attackers leveraged a signature-verification flaw in the module, enabling them to initiate transactions from affected Safes.
Detection of the exploit
On or around June 1, 2026, Gnosis Pay detected an active exploit targeting the Delay Module. Subsequently, Gnosis co-founder Martin Köppelmann publicly acknowledged the incident, confirming that attackers could initiate transactions from Safes equipped with the vulnerable module.
The team acted swiftly by containing the breach, including requests to pause certain bridge validators to limit cross-chain impacts. Gnosis also pledged to make all affected users whole, covering any losses in full.
The exploit affected card-linked Safe accounts but did not impact the broader Gnosis Safe infrastructure or Gnosis Chain itself. Users were initially advised to withdraw funds where possible, and operations were temporarily suspended to facilitate secure migrations.
A detailed post-mortem is expected in the coming weeks to outline the root cause, extent of the breach, and lessons learned.
Recovery process
As part of the recovery, all users received new card safes linked to their existing cards and identity information. Users must now deposit funds only to the new Safe address displayed in their Gnosis Pay account or connected wallet. Deposits to old addresses, whether on-chain or via IBAN, will be lost permanently.
For the vast majority of users, the transition has been seamless, with card functionality restored. However, some users require an additional step to restore their card balance. Clear instructions are provided directly in the Gnosis Pay web app or the wallet used to access the card. The company has emphasized proactive support, stating it “won’t rest until any remaining issues are resolved.”
Security lessons for the industry
While the quick response and commitment to full reimbursement have helped maintain user confidence, the incident highlights the importance of rigorous auditing and rapid response in decentralized finance. Gnosis Pay continues to roll out enhancements and expects to provide more transparency on the incident’s scale and preventive measures soon.
Users experiencing difficulties are encouraged to reach out to official support channels. As the platform moves forward, this episode may strengthen its security posture and contribute valuable insights to the broader crypto ecosystem.
Also Read: ZachXBT Questions PiggyBank’s Risk Management Over $LAB Bet
