The exploit occurred in the Gnosis Pay delay module, a security layer for its payments.
Most users cannot withdraw funds autonomously, according to the co-founder of Gnosis.
Gnosis Pay suffered an exploit today in its delay module (delay modulein English), a component that allows transactions to be scheduled with a configurable waiting time before they are executed, as confirmed by the Gnosis team and its co-founder Martin Köppelmann in posts on
Gnosis Pay, developed by Gnosis, is a debit card payment service that allows you to spend cryptocurrencies in traditional stores. It is built on top of Safe (formerly known as Gnosis Safe), a multi-signature wallet protocol widely used on Ethereum and compatible chains.
The delay module where the exploit occurred is designed as a security measure, since by introducing an interval between the request and the execution of a transaction, it allows unauthorized operations to be canceled before they are completed. In this case, that same mechanism was the vector of the attack.
Gnosis promises to cover 100% of losses
At first, the team Gnosis Pay and Köppelmann recommended users to withdraw their funds from the card to their personal wallets. Köppelmann deleted that post shortly after and noted:
I deleted a previous tweet asking users to withdraw funds. Most users will not be able to do this, but we are actively working to contain the damage. We think we can contain most of it.
Martin Köppelmann, co-founder of Gnosis.
The co-founder of the protocol did not explain the reason for the impediment. Possibly the exploit has compromised the delay module itself that manages these operations, which would block the outflow of funds through the same affected channel.
Köppelmann also extended a public guarantee of full coverage. “In any case, we will ensure that all users are fully compensated”wrote. The Gnosis Pay team reiterated that commitment in its statement: “Affected users will be refunded.”
However, neither of the two publications reported the amount stolen, the number of affected users or the specific mechanism through which the refund will be made.
In this context, the fact that the majority of users cannot withdraw their funds autonomously leaves damage containment entirely in the hands of the team.
A recent precedent in the Safe ecosystem
On May 25, an attacker drained approximately USD 3 million from 86 wallets that operated on Ethereum and Baseas reported by CriptoNoticias.
In that case, the vector was an external Squid Router module (a tool that allows token exchanges between different networks from the wallet) that The attacker took the opportunity to pose as an authorized operator and execute transactions without needing the victims’ private keys.
The wallets affected in this exploit ran on Gnosis Safe, the base protocol shared with Gnosis Pay, although they are different products. Safe CEO Rahul Rumalla clarified at the time that the Squid Router module involved had already been identified as risky within the protocol’s internal alert system, indicating that the attack vector was flagged before the damage occurred.
Both incidents point to a common pattern: in Safe, external modules that extend the functions of the wallets represent additional entry routes for attackersregardless of whether the core of the protocol has not been compromised.