Gnosis is working to contain an exploit affecting its Gnosis Pay product after co-founder Martin Köppelmann acknowledged an active hack involving the system's delay module and said the project would cover user losses.
Köppelmann initially urged users to withdraw funds, a warning amplified by blockchain security firm PeckShield, which advised users to withdraw all funds, including EURe and GNO. He later withdrew that advice, deleting the initial tweet, saying most users would not be able to withdraw their funds. He reiterated the team is actively working to contain the damage and will make users whole.
Gnosis is a long-running Ethereum project known for its smart contract wallet infrastructure and Gnosis Chain, an EVM-compatible network used for payments and decentralized finance.
The shifting guidance leaves key questions unanswered, including how much has been stolen, which contracts or users are affected, and whether the issue stems from the Zodiac delay module itself, its configuration within Gnosis Pay, or a broader architectural flaw.
Former Near protocol core developer Vadim Zacodil said Gnosis Pay's design routes user self-custody through a shared delay layer that queues outgoing transactions from many Safes at once, so a bug there can push malicious withdrawals into thousands of users' queues simultaneously, even though individual keys never move. He argued what is protecting users here is less the self-custodial Safe accounts and more Gnosis’s ability to pause infrastructure and commit treasury funds to cover losses.
The incident follows a separate exploit involving a third-party module connected to Safe, the smart contract wallet infrastructure originally incubated within the Gnosis ecosystem. In that case, a SquidRouterModule contract was abused to drain about $3.2 million from roughly 86 Safes across Ethereum and Base.