Loading prices…
🩸BEARISH

Zodiac Delay Module Exploit Drains Gnosis Pay, CEO Responds

The Zodiac delay-module bug lets an attacker push transactions from affected Safe wallets — the second time in a week a module-based attack has drained funds from the Gnosis stack.

Gnosis co-founder and CEO Martin Koppelmann confirmed Monday that an active exploit is hitting Gnosis Pay through the Zodiac delay module, a permission layer that queues transactions before execution on Safe wallets. Koppelmann said on X that the attacker can initiate transactions from Safe wallets carrying the module, and that Gnosis is asking bridge validators to pause as part of its containment response. The full scale of the drain and whether user funds have already been lost have not yet been disclosed.

"Unfortunately, there is a hack related to Gnosis Pay and the 'delay module.' Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses," Koppelmann wrote. Blockchain security firm PeckShield separately flagged the active exploit and urged users to check their exposure. Koppelmann also deleted an earlier post that had urged Gnosis Pay users to withdraw EURe and GNO immediately, noting most users would not be able to act in time and that Gnosis would make all users whole regardless.

Why it matters

The delay module sits inside Gnosis Pay's system, not Safe's core contracts, but the attack still ripples across the broader Ethereum self-custody stack: Gnosis Pay is built on Safe smart-contract wallet infrastructure, and any wallet carrying the module is potentially exposed. The incident lands five days after a separate exploit drained $3.2 million from 86 Gnosis Safe wallets via a vulnerable third-party module called SquidRouterModule, where weak identity validation let attackers execute arbitrary calldata without wallet signatures — a different vector, but the same architectural pattern of third-party modules introducing risk into otherwise battle-tested wallet code.

Market impact

Gnosis has committed to backstopping user losses directly, which limits immediate retail fallout for EURe and GNO holders, but the repeated module-based attacks are doing reputational damage to the broader Safe ecosystem at a moment when institutional self-custody adoption is being measured against exactly this kind of supply-chain risk.

Related tokens
$GNO $EURE

Frequently asked questions

  1. What was exploited in the Gnosis Pay hack?

    An active exploit targeted Gnosis Pay through the Zodiac delay module, a permission layer that queues transactions before execution. Koppelmann said the attacker can initiate transactions from Safe wallets carrying the module.

  2. Will Gnosis Pay users get their money back?

    Gnosis co-founder and CEO Martin Koppelmann said on X that Gnosis will cover all user losses. The full scale of the drain and whether funds have already been lost had not been disclosed at the time of the announcement.

  3. Is this the same exploit that hit Gnosis Safe wallets last week?

    No — it is a separate incident. About five days earlier, a vulnerable third-party module called SquidRouterModule drained $3.2 million from 86 Gnosis Safe wallets via weak identity validation. Both attacks targeted module layers, not Safe's core contracts.

  4. Is the bug in Safe's core code?

    No. The delay-module bug sits within the Gnosis Pay system, not Safe's core contracts. Gnosis Pay is built on Safe smart-contract wallet infrastructure, and any wallet carrying the affected module is potentially exposed.

  5. What is Gnosis doing to contain the exploit?

    Gnosis is asking bridge validators to pause as part of its containment response. Koppelmann said the team believes it can contain the majority of the damage and will ensure all users are made whole in any case.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 46d ago
Open original →