Gnosis co-founder and CEO Martin Koppelmann confirmed Monday an active exploit targeting Gnosis Pay involving the Zodiac delay module. The attack exploited a permission layer that allows transactions to be queued before execution, enabling the attacker to initiate transactions from Safe wallets carrying the module. Koppelmann stated that Gnosis will cover all user losses and asked bridge validators to pause as part of containment efforts. Blockchain security firm PeckShield flagged the exploit and warned users to check their exposure. The incident follows a separate exploit days earlier that drained $3.2 million from 86 Gnosis Safe wallets via a vulnerable third-party module.
Zodiac Delay Module Vulnerability Enables Transaction Exploitation
The attack exploited the Zodiac delay module, a permission layer that allows transactions to be queued before execution. Koppelmann said the attacker is able to initiate transactions from Safe wallets carrying such a module. The extent of the drain and whether funds have already been lost were not immediately confirmed.
Gnosis Requests Bridge Validator Pause and Promises Full User Reimbursement
"Unfortunately, there is a hack related to Gnosis Pay and the 'delay module.' Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses," Koppelmann wrote on X. Gnosis is asking bridge validators to pause as part of its containment response. Koppelmann had posted an earlier alert urging all Gnosis Pay users to withdraw EURe and GNO immediately, but deleted that post ahead of the updated statement. "Deleted an earlier tweet that asked users to withdraw funds," Koppelmann said. "Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole."
Gnosis Pay Built on Safe Infrastructure as Separate Entity Since 2022
Gnosis Pay is a product of Gnosis, the Ethereum infrastructure organization co-founded by Koppelmann, and should not be confused with Safe — formerly Gnosis Safe — which spun out from Gnosis in 2022 as an independent entity after raising $100 million. The two remain closely linked. Gnosis Pay is built on Safe's smart contract wallet infrastructure, with Safe securing the self-custodial wallets underlying every Gnosis Pay card. The delay-module bug flagged on Monday sits within the Gnosis Pay system, not Safe's core contracts.
SquidRouterModule Exploit Drained $3.2 Million Days Before Current Incident
The alert arrives days after a separate exploit drained $3.2 million from 86 Gnosis Safe wallets via a vulnerable third-party module called SquidRouterModule. That incident involved weak identity validation in an unofficial module, allowing attackers to execute arbitrary calldata without requiring wallet signatures.
FAQ
What exploit did Martin Koppelmann confirm on Monday?
Martin Koppelmann confirmed Monday an active exploit targeting Gnosis Pay involving the Zodiac delay module, which allows transactions to be queued before execution.
How is Gnosis responding to the Gnosis Pay exploit?
Gnosis stated it will cover all user losses and asked bridge validators to pause as part of containment efforts. Koppelmann said the organization is actively working to contain the damage.
What is the relationship between Gnosis Pay and Safe?
Gnosis Pay is a product of Gnosis built on Safe's smart contract wallet infrastructure. Safe, formerly Gnosis Safe, spun out from Gnosis in 2022 as an independent entity after raising $100 million.
