Key points
- Gnosis confirmed an ongoing exploit affecting its Gnosis Pay platform, linked to a flaw in the Zodiac delay module.
- The vulnerability allows unauthorized transactions from certain Safe wallets using the module.
- Gnosis has pledged to cover all user losses and has asked bridge validators to pause operations.
- The full scale of the exploit remains under investigation and no final loss figure has been released.
- The incident follows a separate May 25 breach involving a different third-party module.
Ongoing exploit and vulnerability
Gnosis has confirmed that its Gnosis Pay payment platform is under active exploit, after identifying a security vulnerability in the Zodiac delay module, a component used in conjunction with Safe smart contract wallets.
Co-founder Martin Koppelmann said the flaw allows an attacker to trigger transactions from Safe wallets that have this specific module enabled. The core Safe contracts themselves are not affected, according to the company.
The Zodiac delay module is designed to act as a transaction queue with a built-in time lag, providing an additional layer of control over wallet operations. In this case, that layer became the entry point for unauthorized transactions.
Company response and user protection
Gnosis stated it will reimburse all users for losses arising from the attack and is working to restore affected balances. The team is still assessing the damage and has not published an official loss estimate.
An initial public alert advising users to withdraw GNO and the euro-pegged stablecoin EURe from Gnosis Pay was later deleted, before Koppelmann issued an updated confirmation of the attack and the recovery plan.
As part of its containment strategy, Gnosis asked bridge validators to temporarily halt operations to prevent compromised funds from moving across networks. This effectively isolates parts of the system while the exploit is analyzed and patched. The organization noted that similar pauses have been used previously as a risk-management tool during major network upgrades.
Market context and token impact
At the time of the announcement, the GNO token was trading around $112.98. Market participants now face a period of uncertainty as they weigh the potential impact of reimbursements, paused bridge activity, and any lingering confidence effects around Gnosis Pay and related assets.
EURe, the other key asset involved, is a regulated e-money token backed by euro reserves. Euro-denominated stablecoins collectively hold an estimated market capitalization of about €500 million, compared with nearly $300 billion for the broader global stablecoin market. Any disruption to EURe flows via Gnosis Pay could have localized effects but is small in the context of the wider sector.
Technical scope and risk assessment
Gnosis has stressed that the compromise is limited to the Zodiac delay module and does not extend to Safe’s core wallet infrastructure. However, any Safe wallet that enabled the vulnerable module is at risk of unauthorized transactions.
For now, the halt of bridge functionality restricts transfers to and from the Gnosis Chain, which may affect liquidity strategies and cross-chain activity until services are restored. Technical teams are reviewing compromised addresses and transaction histories to block further unauthorized access.
Traders and users of smart contract wallets are being urged to review which specific modules are active on their setups, particularly any use of third-party components layered on top of standard wallet infrastructure.
Recent security history
The latest exploit comes only days after a separate security incident on May 25, 2026, in which around $3.2 million was drained from 86 wallets. That earlier breach was traced to a third-party module named SquidRouterModule, which contained a weak identity verification mechanism.
In that case, the attacker was able to impersonate authorized users and drain funds, again without compromising the core Safe contracts. The back‑to‑back incidents highlight the elevated risk around auxiliary modules and extensions connected to otherwise battle‑tested wallet frameworks.
Outlook
Authorities and independent security researchers are monitoring the current exploit as Gnosis works to identify all affected wallets and finalize loss figures. The combination of a reimbursement pledge, paused bridges, and recent history of third‑party module failures is likely to keep attention on Gnosis Pay’s architecture and on the broader practice of layering custom modules on top of established smart contract wallets.
Strengthen your wallet security knowledge with Toobit Academy’s guide What is Multi-Signature and protect against similar exploit risks.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
