Gnosis co-founder and CEO Martin Koppelmann confirmed Monday an active exploit related to Gnosis Pay involving the Zodiac delay module.
"Unfortunately, there is a hack related to Gnosis Pay and the 'delay module.' Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses," Koppelmann wrote on X. Blockchain security firm PeckShield had also flagged the active exploit, warning users to check their exposure.
The attack exploited the Zodiac delay module, a permission layer that allows transactions to be queued before execution. Koppelmann said the attacker is able to initiate transactions from Safe wallets carrying such a module, and that Gnosis is asking bridge validators to pause as part of its containment response.
Koppelmann had posted an earlier alert urging all Gnosis Pay users to withdraw EURe and GNO immediately, but deleted that post ahead of the updated statement. "Deleted an earlier tweet that asked users to withdraw funds," Koppelmann said. "Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole."
Gnosis Pay is a product of Gnosis, the Ethereum infrastructure organization co-founded by Koppelmann, and should not be confused with Safe — formerly Gnosis Safe — which spun out from Gnosis in 2022 as an independent entity after raising $100 million.
The two remain closely linked. Gnosis Pay is built on Safe's smart contract wallet infrastructure, with Safe securing the self-custodial wallets underlying every Gnosis Pay card. The delay-module bug flagged on Monday sits within the Gnosis Pay system, not Safe's core contracts.
The extent of the drain and whether funds have already been lost were not immediately confirmed. The Block has reached out for comment.
The alert arrives days after a separate exploit drained $3.2 million from 86 Gnosis Safe wallets via a vulnerable third-party module called SquidRouterModule. That incident involved weak identity validation in an unofficial module, allowing attackers to execute arbitrary calldata without requiring wallet signatures.
This is a developing story.