Gnosis Pay users were pushed into emergency mode on June 1 after Gnosis co-founder Martin Köppelmann warned that a hack was linked to the platform’s delay module.
The Gnosis Pay delay module hack triggered an immediate containment effort, with Köppelmann asking users to be patient while the team tried to limit the damage. He also gave the most important assurance for affected users: “Gnosis will cover all user losses.”
The warning escalated quickly because Gnosis Pay is not a normal exchange account. It is built around self-custodial Safe-based accounts that connect onchain balances to a payment card. Users were later urged to withdraw EURe and GNO while the issue was being contained, and a separate update tied the bug to the Zodiac delay module.
Delay Module Bug Creates Emergency Withdrawal Push
The delay module is supposed to protect Gnosis Pay users, not expose them. Gnosis Pay accounts use Safe accounts with Delay and Roles modules, creating a controlled setup where payments can settle while users keep ownership of their funds.
The Delay module normally adds a short three-minute wait to outgoing transactions from a Gnosis Pay Safe. That delay is designed to reduce double-spend risk, give users time to react, and keep card settlement from being disrupted by instant onchain withdrawals. The Roles module restricts what Gnosis Pay can initiate, including supported stablecoins, spending limits and authorized recipients.
The hack warning points to that control path rather than a broad market exploit. The issue was described as a delay module problem affecting Gnosis Pay users, with attackers reportedly able to initiate transactions from Safes using the vulnerable module. That makes the incident a wallet-module security event, not a simple token price move or normal card outage.
No Confirmed Loss Total Yet
Gnosis had not released a confirmed loss figure at publication time. That makes the reimbursement pledge more important, but it also means the final impact is still developing.
The immediate risk centered on users holding EURe and GNO in Gnosis Pay-linked Safes. The strongest public guidance was to withdraw funds while containment work continued. Gnosis Pay already provides a direct withdrawal path without normal app access, where users can move assets out of a Safe through a two-step process that queues and executes a withdrawal after the delay period.
That withdrawal design matters during an incident. If normal account access becomes unreliable, users may still need a route to move funds from the Safe itself. The same documentation makes clear that the process requires gas, uses Gnosis Chain, and depends on the user controlling the signing wallet.
Safe Module Risk Returns To The Spotlight
The Gnosis Pay incident lands less than a week after another Safe-related module attack hit the market. A SquidRouterModule exploit drained 86 Gnosis Safes for about $3 million across Ethereum and Base, with the focus again falling on module-level execution rather than a confirmed failure in the core Safe contract.
That distinction keeps coming back across DeFi. Smart accounts, payment cards, routers, delay queues and execution modules all sit around the user’s main wallet, but they can still control when and how assets move. When one of those components fails, the user experience looks the same as a wallet drain even if the deeper base contract remains intact.
June has already opened with several smaller but uncomfortable security stories. Fluid’s rewards drain exposed a key-control failure after compromised operational roles enabled fraudulent Merkle reward claims, while the AROS attack on BNB Chain added another token-level loss to the early-month exploit run.
Gnosis Pay now adds a different category: payments-linked smart account risk. The platform’s core promise is that users can spend from self-custodial funds while keeping programmable controls around card settlement. A delay module hack cuts straight into that promise because the module is part of the protection layer itself.
The next update needs to answer three questions: how many users were affected, how much was lost, and whether the vulnerable delay-module path has been fully neutralized. Until then, the story is already clear enough for users to act. Gnosis Pay has acknowledged the hack, Gnosis has promised to cover user losses, and anyone still exposed to the affected setup should treat withdrawal guidance as the priority rather than waiting for the final postmortem.
Be the first to comment