Key Highlights
- Gnosis Pay confirmed 100% of affected user funds were restored.
- The incident affected over 5,281 wallets and drained about $1.5 million.
- Gnosis Pay absorbed all losses internally and restored services within days.
Gnosis Pay, a decentralized self-custodial payment network, has released a detailed post-mortem on a security incident that occurred on June 1, 2026. The company confirmed that while attackers exploited a vulnerability in its card safe infrastructure, all user funds were fully restored with no losses borne by customers. Gnosis Pay absorbed the entire financial impact of the breach.
In a post-mortem report published on Friday, the team stated that Gnosis Pay’s monitoring systems, led by treasury manager NOCA, detected the first large unauthorized transfer at 06:17 UTC on June 1. Within two hours, the team identified the root cause. Card services were immediately taken offline, the bridge to Gnosis Chain was paused, and attacker-linked addresses were shared with stablecoin issuers for isolation.
The company also notified external projects that used similar infrastructure. The affected Zodiac modules were patched and submitted for review by ChainSecurity, while an emergency fund was established to support users with immediate needs.
Timeline of fund restoration
By June 3 evening, Gnosis Pay had reactivated the first affected accounts, restoring balances and re-enabling cards. A phased rollout of newly engineered card safe modules followed, with full services restored to 99% of users by June 6 and remaining accounts completed shortly after. No users lost funds.
The attack targeted the Delay Module and Roles Module, components from the Zodiac framework used in Gnosis Pay’s card safe infrastructure. Attackers leveraged a subtle flaw in signature validation (ERC-1271 implementation) that failed to verify whether contract calls succeeded. This allowed them to forge approvals and queue unauthorized withdrawals from user safes.
How the incident unfolded
The vulnerability had existed in Zodiac version 3.4.0 since October 30, 2023.
Attackers extracted approximately $1.5 million across various assets, primarily GNO, EURe, USDC.e, and others. An additional ~$300,000 in funds became temporarily inaccessible, with recovery efforts ongoing. In total, the incident affected 5,281 wallets holding at least $1.
Gnosis Pay said it covered all losses internally and maintained open communication with partners and users. The detailed post-mortem includes a clear timeline, technical description of the exploit (with the attacker contract address: 0x5a77953caa27ed4638f4dfdc665b8064d0e97a35), and asset breakdown.
What proactive steps did the company take
In response to the exploit, Gnosis Pay outlined several proactive steps:
- Expanding its security team with external researchers.
- Conducting a full internal review of on-chain and off-chain systems.
- Commissioning an independent holistic security assessment.
- Broadening audit scope to include external dependencies.
- Enhancing monitoring of upstream projects for timely patches.
- Rolling out an improved Gnosis Pay v2 product with better observability and streamlined operations.
Third-party dependencies remain a matter of intense audit
The incident highlights the importance of auditing not only proprietary code but also third-party software dependencies used in crypto infrastructure.
While Gnosis Pay’s decision to absorb the estimated $1.8 million impact prevented customer losses, it also underscores the operational costs associated with maintaining user protections following security incidents.
As stablecoin-based payment cards gain wider adoption, the security of underlying infrastructure, particularly shared open-source components, is likely to remain a key focus for both operators and users.
Also Read: BTSE Expands Into Indonesia With Regulated Crypto Platform
