admin The breach, disclosed on 1 June, hit the payment product that connects self-custodial crypto wallets with card spending. The affected component is linked to the Zodiac Delay Module, a mechanism designed to slow certain outgoing transactions from Safe-based accounts before execution. That delay is intended to give users a short window to react to unauthorised transfers, but the flaw allowed attackers to initiate transactions from Safes fitted with the module.
Gnosis co-founder Martin Köppelmann said the company was taking containment measures, including asking bridge validators to pause activity, while its technical teams worked to limit losses. He initially urged Gnosis Pay users to withdraw EURe and GNO from affected accounts, then deleted that warning after acknowledging that many users would not be able to move funds during the incident. He later said Gnosis would make users whole.
The company has not disclosed the value of assets drained, the number of accounts affected or the full technical route used by the attackers. A detailed post-mortem had not been published by Wednesday, leaving users and security researchers waiting for clarity on whether the weakness lay in the Delay Module’s code, its deployment in Gnosis Pay, or the wider configuration of permissions around card-linked Safe accounts.
Gnosis Pay’s architecture is built around the promise that users can spend digital assets while retaining control of their funds until a card transaction requires settlement. The product uses Safe smart accounts and modules that allow payment authorisations to flow through blockchain-based controls. A Roles Module is used to define permitted card-related actions, while the Delay Module places a short waiting period on certain outbound transactions.
That model has been central to the product’s appeal because it seeks to combine blockchain self-custody with everyday payments. It also means that auxiliary smart-contract modules, rather than only the core wallet itself, become critical security infrastructure. A bug in a module that has spending authority can expose funds even when the underlying wallet framework remains intact.
Gnosis Pay operates as a UK-registered company and markets itself as a decentralised payments network linking traditional finance and decentralised finance. Its debit card is issued by Monavate Limited under a Visa Europe licence, with Monavate authorised and regulated by the Financial Conduct Authority as an electronic money institution. The incident therefore places scrutiny not only on smart-contract design but also on the operational resilience of crypto-linked payment products that rely on regulated partners.
EURe, one of the assets users were told to monitor, is a euro-denominated stablecoin issued by Monerium. GNO is the token associated with the Gnosis ecosystem. The warning to check both assets reflected the immediate concern that attacker-controlled transactions could affect balances held in Gnosis Pay-linked Safes.
The breach adds to a difficult period for Safe-module security. A separate attack days earlier drained about $3m from 86 Safe wallets across Ethereum and Base through a third-party module called SquidRouterModule. That incident has not been linked to the Gnosis Pay exploit, but it sharpened attention on the risks posed by plug-in modules that extend wallet functionality.
Security analysts have long warned that modular account systems need the same level of review as the wallets they extend. Modules are useful because they allow developers to add functions such as spending limits, automated payments, role-based permissions and timed execution. The same flexibility can create a broader attack surface when modules are granted authority over assets.
Gnosis’ pledge to reimburse users may help limit immediate reputational damage, but unanswered questions remain material. Users still need to know which accounts were exposed, whether all malicious queued transactions were stopped, how validators and partners coordinated the response, and when normal card-linked operations can resume safely.
