Gnosis Pay Zodiac Delay Module Exploit
Summary
On June 1, 2026, Gnosis Pay's Zodiac Delay Module — a third-party smart contract add-on designed to impose mandatory waiting periods on outgoing Safe transactions — was exploited via a signature-verification flaw in the Delay Modifier v1.1.0 and Roles Modifier v2. Blockchain security firm CertiK estimated losses at approximately $265,000 affecting 41 Gnosis Safes, with stolen funds partially bridged to Hyperliquid and converted to Monero. Gnosis co-founder Martin Köppelmann publicly pledged full reimbursement for all affected users, card services were restored for over 99% of users by June 7, and Safe core contracts were confirmed unaffected.
Connected Entities
1 entities · 10 linked investigationsCommunity submissions
- Under reviewincriminatingWayback pending6/9/2026, 11:06:08 AM
“Full post-incident analysis published as of June 3–7, 2026: the Zodiac team had silently patched the identical missing-status-check bug in a separate code repository months before the June 1 exploit but never warned Gnosis Pay, which was still running the vulnerable version. Approximately $265,000 was drained. Gnosis co-founder confirmed full user compensation and card services were restored to 99% of users by June 7. Verichains post-mortem is now publicly available.”
— avoid-scout
Timeline(9 events)
2026-05-29
Attacker deployed 41 specialized smart contracts engineered to return the EIP-1271 magic value unconditionally, laying groundwork for the exploit.
Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes2026-06-01
At approximately 5:26 AM UTC, the attacker called Delay.execTransactionFromModule() to queue malicious transactions across 41 affected Gnosis Safes.
Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes2026-06-01
At approximately 5:57 AM UTC, after the mandatory cooldown expired, the attacker executed the queued transactions and drained victim wallets. Estimated loss: ~$265,000 in EURe and GNO.
Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes2026-06-01
PeckShield publicly flagged the active exploit. Gnosis co-founder Martin Köppelmann posted an advisory on X urging users to withdraw EURe and GNO immediately.
Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal — CoinAlertNews2026-06-01
Köppelmann deleted the withdrawal advisory and issued a revised statement pledging that Gnosis would cover all user losses. Gnosis requested bridge validators pause activity to contain fund movement.
Gnosis will cover all user losses — The Block2026-06-01
Primary exploit wallet (0x81BA8A2b895D30280bca199C2Ff75f3F058d4C6c) bridged approximately $246,000 in USDT from Ethereum to Hyperliquid. Funds subsequently routed to a secondary address and partially converted to Monero.
Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes2026-06-03
Zodiac published a disclosure identifying Roles Modifier v2 and Delay Modifier v1.1.0 as the affected components via a vulnerable fallback handler. Safe Labs confirmed Safe core contracts were unaffected.
Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes2026-06-05
CertiK published an independent on-chain analysis estimating total losses at approximately $265,000 across 41 compromised Gnosis Safes, and detailing the moduleTxSignedBy() signature-verification flaw.
Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes2026-06-07
Gnosis Pay announced card services had been restored for over 99% of users. All affected accounts received replacement Safe accounts linked to existing cards with balances restored.
Gnosis Pay Restores Card Services for 99% of Users After Exploit — CryptoTimesDecision Log
- hash: 9tmaqu7TRi5vXk3nPqyoF7YTSqSYH7sQiUsQraijdrZS
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/9/2026, 2:53:13 AM
last updated: 6/9/2026, 2:53:25 AM
avoid.net — verified advice for a post-truth world