Gnosis Pay Exploit Hits Delay Module, Team Pledges Refunds
An active exploit targets Gnosis Pay’s delay module, prompting a warning and then retraction from co-founder Martin Köppelmann. The team is working to contain the damage and will reimburse users, while details on losses and attack vector remain unclear.
Quick Take
Exploit affects Gnosis Pay’s delay module, possibly via Zodiac.
Co-founder first urged withdrawals, then retracted advice.
Team pledges to make users whole with treasury funds.
Incident follows a similar Safe module exploit days earlier.
Market Impact Analysis
BearishExploit raises security concerns around Gnosis Pay and the Safe ecosystem, potentially leading to token sell-offs, but team's refund pledge may mitigate long-term damage.
Speculation Analysis
Key Takeaways
- An active exploit on Gnosis Pay’s delay module is being contained, with the team pledging full refunds from its treasury.
- Co-founder Martin Köppelmann initially urged withdrawals, then retracted the advice, leaving users uncertain.
- The attack highlights systemic risk in shared delay layers that can push malicious transactions to thousands of Safes at once.
What Happened
Gnosis Pay is grappling with an active exploit targeting its delay module. Co-founder Martin Köppelmann confirmed the attack, initially warning users to withdraw funds—a call quickly amplified by security firm PeckShield. He later retracted the withdrawal advice, deleting the initial tweet and stating most users couldn’t move funds anyway. The team is “actively working to contain the damage” and has committed to making all affected users whole using its treasury.
The exploit likely stems from a vulnerability in the Zodiac delay module or its configuration within Gnosis Pay’s infrastructure. This module acts as a shared queue for outgoing transactions from numerous Safe wallets, meaning a single flaw can inject malicious withdrawals across thousands of accounts simultaneously. It’s not yet clear how much has been stolen, which contracts are impacted, or whether funds are recoverable.
The Numbers
Details remain scarce while the containment effort is underway. However, the incident follows a steady drop in overall crypto exploit losses. According to CertiK, total losses fell to $68.3 million in May—a 90% decline from April and the third month this year below $100 million. This comes just days after a separate exploit involving a third-party Safe module drained $3.2 million from 86 wallets across Ethereum and Base, underscoring persistent modular wallet risks.
Why It Happened
The attack underscores a design tension in Gnosis Pay’s architecture. Its shared delay layer batches transactions from many self-custodial Safes, creating efficiency but also a central point of failure. A flaw in the delay module’s logic can push malicious withdrawals to multiple users at once, even though their private keys remain untouched. This incident mirrors the recent SquidRouterModule exploit, where a third-party module allowed an attacker to drain funds from dozens of Safe wallets. In both cases, the vulnerability lay outside core Safe contracts but exposed systemic risk in modular smart wallet ecosystems.
Broader Impact
The exploit raises sharp questions about the security of shared infrastructure layers in decentralized finance. Gnosis Pay and the broader Safe ecosystem may face short-term sell pressure on the GNO token as users reassess risk. Yet the team’s rapid containment effort and refund pledge could limit long-term reputational damage. The incident also highlights a pattern: even as overall exploit losses decline, sophisticated attacks on modular wallet designs continue to pose threats.
What to Watch Next
- Post‑mortem disclosure: Gnosis must reveal the exact attack vector, affected users, and recovery timeline.
- GNO price action: Monitor token performance for bearish signals amid uncertainty.
- Ecosystem response: How Safe Labs and other modular wallet projects react could shape future security standards.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
