Skip to content
Est. MMXXVIVol. VI · № 282RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 280Smart Contract Bug

Gnosis Pay Zodiac Delay Module Exploit

A signature-verification flaw in the Zodiac Delay Module let an attacker bypass Gnosis Pay's time-delay protection and drain roughly $265,000 in EURe and GNO from dozens of user Safes.

Date
Victim
Gnosis Pay
Chain(s)
Gnosis Chain
Status
Funds Stolen

On June 1, 2026, Gnosis Pay suffered an active exploit that drained roughly $265,000 in EURe and GNO from dozens of user Safes after an attacker bypassed the service's time-delay safeguard by abusing a flaw in the Zodiac Delay Module.

What happened

Gnosis Pay wraps each self-custodial card account in a Gnosis Safe protected by a Zodiac Delay Module — a time-lock that is supposed to queue outgoing transactions and require valid signatures before execution. The exploit centered on the module's moduleTxSignedBy() routine, which parsed the r, s, and v signature components directly from msg.data calldata in a way the attacker could manipulate to satisfy the authorization check without a legitimate signature. That let crafted transactions slip past the delay and pull funds straight out of the affected Safes. Zodiac later confirmed the flaw lived in the Delay Module and that core Gnosis Safe contracts were unaffected — a containment line that echoes the New Market Trading module exploit weeks earlier, where the danger again sat in third-party Safe tooling rather than Safe itself.

Aftermath

Co-founder Martin Köppelmann confirmed the incident and pledged that Gnosis would reimburse all affected users, while the team asked bridge validators to pause activity to limit the spread. Gnosis Pay said the incident was fully contained by June 2 and that operations would resume in phases. The attacker, however, moved quickly to launder: roughly $246,000 was bridged out toward Hyperliquid and partly swapped into Monero (XMR), so the stolen funds themselves were not recovered even as users were made whole.

Why it matters

The Gnosis Pay incident shows that security modules are themselves attack surface — a time-delay meant to add safety became the single point of failure when its signature parsing could be gamed. Together with New Market Trading and the same-week TesseraDAO mint, it marks an early-June 2026 cluster of Safe-adjacent and key-driven losses, and reinforces a recurring catalogue lesson: bolt-on Safe modules carry full asset authority and must be audited as rigorously as the vault they guard.

Sources & on-chain evidence

  1. [01]thedefiant.iohttps://thedefiant.io/news/hacks/gnosis-pay-hit-by-delay-module-exploit-as-gnosis-pledges-to-cover-user-losses
  2. [02]cryptotimes.iohttps://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/
  3. [03]cryptotimes.iohttps://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/
  4. [04]crypto.newshttps://crypto.news/gnosis-pay-exploit-tied-to-zodiac-delay-module-as-users-exit/

Related filings