TL;DR:
- Gnosis Pay faces an exploit tied to the Zodiac delay module, with Martin Koppelmann saying Gnosis will cover all user losses as users await clearer damage details.
- The attacker can initiate transactions from Safe wallets carrying the module, while Gnosis is asking bridge validators to pause during containment.
- The issue sits inside Gnosis Pay, not Safe core contracts, but follows a separate $3.2 million exploit involving a vulnerable third-party module.
Gnosis Pay is facing an exploit tied to its Zodiac delay module, forcing the project into containment mode while users wait for clarity on exposure. Gnosis co-founder and CEO Martin Koppelmann said Monday that the incident relates to Gnosis Pay and assured users that losses would be covered. The central point is user protection during an unresolved exploit, because the extent of any drain has not been confirmed. Blockchain security firm PeckShield also flagged the active attack, urging users to check whether they were exposed.
Unfortunately, there is a hack related to @gnosispay and the "delay module".
Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses.— koeppelmann (@koeppelmann) June 1, 2026
Delay module exploit puts containment ahead of clarity
The exploit centers on the Zodiac delay module, a permission layer that lets transactions be queued before execution. Koppelmann said the attacker can initiate transactions from Safe wallets carrying that module, a detail that makes the issue especially sensitive for Gnosis Pay users because the product relies on Safe smart contract wallet infrastructure. The bug sits inside the Gnosis Pay system, not Safe’s core contracts, a distinction that matters as the incident risks being confused with a broader Safe wallet failure by anxious users.
Gnosis is asking bridge validators to pause as part of its response, suggesting the immediate priority is slowing movement while the team works to contain the damage. Koppelmann had first urged Gnosis Pay users to withdraw EURe and GNO immediately, but later deleted that alert, saying most users would not be able to do so. That reversal captures the strange urgency of the situation, with users told both that risk exists and that self-directed withdrawal may not be practical during the active response. The deleted warning also shows how quickly public instructions can change when exploit containment depends on infrastructure coordination rather than simple user action.
The company’s promise to make users whole softens the financial fear but does not remove the technical questions. Gnosis Pay is a product of Gnosis, while Safe, formerly Gnosis Safe, became independent in 2022 after raising $100 million. The two remain connected because Gnosis Pay uses Safe infrastructure to secure self-custodial card wallets. The next test is how quickly containment turns into a full accounting, especially after a separate recent exploit drained $3.2 million from 86 Gnosis Safe wallets through a vulnerable third-party SquidRouterModule. That timing makes Monday’s exploit feel less isolated for users watching module risk.
