Gnosis Co-Founder Koppelmann Pledges Full Reimbursement After Zodiac Delay Module Exploit Hits Gnosis Pay

Key Highlights

• An active exploit targeting the Zodiac delay module in Gnosis Pay allowed an attacker to initiate unauthorized transactions from Safe wallets carrying the module, prompting Gnosis to pause all bridge activity as a containment measure.

• Gnosis co-founder Martin Koppelmann confirmed the protocol will cover all user losses, stating "Gnosis will cover all user losses," though neither the total amount taken nor the number of affected accounts has been publicly disclosed.

• Koppelmann posted an emergency alert urging all Gnosis Pay users to immediately withdraw EURe and GNO, then deleted the post, noting most users would be unable to act in time while the team worked to contain the damage.

Gnosis Pay suffered an active exploit on June 1 tied to a vulnerability in the Zodiac delay module, a permission layer integrated with Safe smart contract wallets that queues transactions before execution. The attacker exploited this module to initiate unauthorized outgoing transactions from affected Safe wallets, bypassing the time-lock protection the component is designed to enforce.

Martin Koppelmann, co-founder of Gnosis, publicly confirmed the incident and pledged that the protocol would make affected users whole. "Rest assured, Gnosis will cover all user losses," Koppelmann stated. As part of the containment response, Gnosis asked bridge validators to pause operations to prevent further asset movement. The total amount drained and the number of impacted accounts have not been disclosed, and no technical post-mortem has been published.

Shortly after the exploit became active, Koppelmann posted an emergency alert on X urging all Gnosis Pay users to immediately withdraw their EURe and GNO balances. He subsequently deleted the post, explaining that most users would not be able to withdraw in time and that the team was working to contain the damage through other means. Bridge activity was halted following confirmation of the active exploit.

The Zodiac delay module is part of the Zodiac ecosystem, a set of composable extensions built on top of Safe (formerly Gnosis Safe) that adds programmable permissions to smart contract wallets. By exploiting its transaction queuing logic, the attacker bypassed the time-lock protection it is intended to provide. Gnosis Pay is a crypto payment card product that allows users to spend EURe and other digital assets at merchants, meaning the security of its underlying wallet infrastructure is directly tied to card user funds.