Gnosis Pay Exploit Tied To Zodiac Delay Module As Users Exit

Gnosis Pay users were urged to withdraw funds after an active exploit linked to the platform’s Zodiac delay module, according to posts from Gnosis co-founder Martin Köppelmann and blockchain security firm PeckShield.

“If you are a Gnosis Pay user – unfortunately I have to recommend: withdraw all funds (EURe and GNO),” Martin Köppelmann said on X.

He said the delay module has a bug and warned that users “might be affected.” The post told users to move both EURe and GNO from Gnosis Pay while the team worked on the issue.

“Users are strongly urged to withdraw all funds (EURe and GNO),” PeckShield said in a separate alert.

The blockchain security firm said Köppelmann had warned about an active exploit related to Gnosis Pay. It also told users to check their exposure because they may be affected.

Zodiac delay module bug tied to attack

“The bug is related to the Zodiac delay module,” Köppelmann said in a later update.

He said the attacker can initiate transactions from Safes that use the delay module. The update gave more detail on the technical source of the exploit after the first warning referred only to a delay module bug.

Gnosis Pay uses Safe-based accounts with smart contract modules. Its own documentation says Gnosis Pay accounts use a Delay Module and a Roles Module to support card payments while keeping users in control of their accounts.

The Delay Module is designed to place a short wait before outgoing transactions can execute. In normal use, that gives users time to react before certain transfers are completed.

Gnosis moves to contain damage

“We are doing various measures to contain the damage like asking bridge validators to pause,” Köppelmann said.

The statement shows that Gnosis is working with outside infrastructure providers while it responds to the exploit. Bridge validators can play a role in cross-chain movement, so a pause may help slow further movement of affected funds.

“Rest assured, Gnosis will cover all user losses,” Köppelmann said.

No final loss figure had been published at the time of writing. The team has also not released a full post-mortem explaining how many accounts were affected or whether all attacker activity has stopped.

Wider payment security context

As previously reported by crypto.news, Gnosis Pay launched a self-custody card for crypto spending at Visa merchants. The product was built to connect blockchain wallets with real-world payments.

That design places Gnosis Pay in a growing group of crypto payment tools that use smart contracts to support everyday spending. It also puts more attention on the code that controls wallet permissions and transaction timing.

The latest warning does not describe Gnosis Pay as shut down. It says users should withdraw EURe and GNO while the team works to contain the exploit.