Verify a decision

{"actor":"system:backfill","investigation_id":"8ed8454e-4391-4266-b163-451864833160","kind":"publish","page_slug":"gnosis-pay","published_at":"2026-06-03T12:05:33.705Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Gnosis Pay","sections":[{"content":"Gnosis Pay is the consumer payments arm of Gnosis, a blockchain infrastructure company with roots in the Ethereum ecosystem since 2015. The legal entity, Gnosis Pay Co Ltd, was incorporated on June 7, 2023, in London, United Kingdom (Companies House number 14919639), with a registered address at 12 New Fetter Lane, London, EC4A 1JP. The product provides users with a physical and virtual Visa debit card linked directly to a personal Gnosis Safe smart-contract wallet, enabling on-chain asset spending without surrendering custody to a third party. The card is issued by Monavate Limited, an Electronic Money Institution authorized and regulated by the UK Financial Conduct Authority (FRN: 901097) under the Electronic Money Regulations 2011, pursuant to licence by Visa Europe Limited. As of December 2025, Gnosis Pay had processed approximately $131 million in card spending and over 1.6 million transactions, with 50,000 or more active accounts. The service is currently available to residents of the European Economic Area and is not yet offered in the United States, Asia-Pacific, or Latin America. The platform supports stablecoins including EURe and GBPe, and rewards users with 1–5% cashback denominated in the GNO governance token.","heading":"Overview and Background","severity":"low","sources":[{"credibility":1,"name":"GNOSIS PAY CO LTD. overview - Companies House (UK)","type":"official","url":"https://find-and-update.company-information.service.gov.uk/company/14919639"},{"credibility":2,"name":"Gnosis Pay closes 2025 with $131M in card spending (official X post)","type":"official","url":"https://x.com/gnosispay/status/2006479272865591409"},{"credibility":2,"name":"Why Gnosis Pay Isn't Just Another Crypto Card - Decrypt","type":"news_article","url":"https://decrypt.co/283801/why-gnosis-pay-isnt-just-another-crypto-card"},{"credibility":3,"name":"Gnosis Pay Card Review - SpendNode 2026","type":"other","url":"https://www.spendnode.io/crypto-cards/gnosis-pay-card/"}]},{"content":"On June 1, 2026, blockchain security firm PeckShield detected an active exploit targeting Gnosis Pay infrastructure. Gnosis co-founder Martin Köppelmann publicly confirmed the incident, warning that a vulnerability in the platform's Zodiac Delay Module had been exploited by an attacker to execute unauthorized transactions from affected Safe smart-contract wallets. Köppelmann initially advised all users to immediately withdraw EURe and GNO from their Gnosis Pay cards; he subsequently retracted that guidance, acknowledging that most users would be unable to execute withdrawals while the exploit was active.\n\nThe vulnerability resided in two specific Zodiac module versions: Roles Modifier v2 and Delay Modifier v1.1.0. The Delay Modifier is intended to impose a roughly three-minute waiting period between transaction approval and execution, giving users time to detect and cancel unauthorized activity. Attackers discovered a flaw that allowed them to bypass this security gate entirely and inject and execute outbound transactions directly from affected Safe accounts without going through the intended delay window. According to the Zodiac disclosure on June 3, 2026, the flaw was only triggered under a precise configuration: accounts where one of the vulnerable modules was enabled and where a Safe account using a vulnerable fallback handler had been assigned as a module or role member.\n\nGnosis teams responded by coordinating with bridge validators to pause all outbound bridge activity, cutting off exit routes for stolen funds. The GNO token experienced significant market volatility: its price initially spiked to approximately $132.10 before reversing to approximately $107.40, registering an intraday loss of approximately 7%, with 24-hour trading volume rising over 1,000% to roughly $18.8 million. The total financial losses from the exploit had not been publicly disclosed as of June 3, 2026.\n\nKöppelmann stated: 'Most users will not be able to withdraw funds, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole.' The incident was declared fully contained by June 2, 2026. Monerium, the issuer of EURe, confirmed that the vulnerability was specific to Gnosis Pay's delay module infrastructure and did not affect EURe itself or Monerium's systems.","heading":"June 2026 Zodiac Delay Module Exploit","severity":"critical","sources":[{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay - The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":2,"name":"Gnosis Pay Pauses Bridge Following Active Zodiac Delay Module Exploit - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/01/gnosis-pay-pauses-bridge-following-active-zodiac-delay-module-exploit/"},{"credibility":2,"name":"Gnosis Pay exploit tied to Zodiac delay module as users exit - Crypto.news","type":"news_article","url":"https://crypto.news/gnosis-pay-exploit-tied-to-zodiac-delay-module-as-users-exit/"},{"credibility":2,"name":"Gnosis Pay Hit with Module Attack - Bankless","type":"news_article","url":"https://www.bankless.com/gnosis-pay-hit-with-module-attack"},{"credibility":2,"name":"Monerium statement on the Gnosis Pay security incident (X)","type":"official","url":"https://x.com/monerium/status/2061409216854712394"},{"credibility":2,"name":"Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal - CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/01/gnosis-pay-exploit-withdrawal"},{"credibility":2,"name":"Gnosis Pay Faces Active Exploit Tied to Zodiac Delay Module - Crypto Economy","type":"news_article","url":"https://crypto-economy.com/gnosis-pay-faces-active-exploit-tied-to-zodiac/"}]},{"content":"Gnosis Pay card accounts are built on Safe smart-contract wallets equipped with two Zodiac modules: a Roles Module that authorizes card-level payments, and a Delay Module that imposes a time-lock before outgoing transactions execute. Zodiac is a modular framework extending Safe functionality and is widely adopted across the broader Safe ecosystem. The June 2026 exploit exposed a systemic risk inherent in modular smart-contract architecture: vulnerabilities in third-party or ancillary modules can undermine the security guarantees of the underlying wallet infrastructure even when core contracts are sound.\n\nSafe Labs confirmed that Safe smart contracts, Safe{Wallet} infrastructure and user interface, and account recovery systems were not affected by the exploit. The vulnerability was isolated to specific versions of Zodiac modules (Roles Modifier v2 and Delay Modifier v1.1.0) and their interaction with a vulnerable fallback handler configuration. Safe Labs stated it was coordinating with Zodiac, Gnosis, and the security community as response efforts continued.\n\nZodiac stated that over 95% of identifiable affected accounts had taken corrective action by June 2, 2026, and that a full post-mortem would be published once the investigation was complete. As of June 3, 2026, no detailed post-mortem had been released. The incident underscores that modular extensibility, while powerful, can introduce attack surfaces not present in base wallet contracts, a risk relevant to any protocol built on Zodiac modules.","heading":"Technical Architecture and Modular Risk","severity":"high","sources":[{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":3,"name":"Gnosis Pay Hack Exposes Zodiac Delay Module Vulnerability - Cryip","type":"news_article","url":"https://cryip.co/gnosis-pay-hack-exposes-zodiac-delay-module-vulnerability-users-assured-full-reimbursement/"},{"credibility":2,"name":"Gnosis Pay Exploit Hits Delay Module - Blockchain.news","type":"news_article","url":"https://blockchain.news/news/gnosis-pay-exploit-delay-module-refunds"}]},{"content":"Gnosis committed publicly to covering all user losses arising from the exploit. Co-founder Martin Köppelmann stated that Gnosis would ensure all users are made whole regardless of the extent of damage. The recovery plan involves issuing every affected user a new card-linked Safe smart-contract wallet connected to their existing card and identity profile. For users whose funds were drained in the exploit, the new Safe will be preloaded with a balance equivalent to what was held prior to the incident. Unaffected users were required to complete a migration from their existing Pay Safe to a new Pay Safe. Gnosis announced that operations would resume in phased batches, with normal card functionality restored step by step beginning approximately Wednesday evening (Central European Summer Time) following the June 1 incident. The total cost of the reimbursement commitment had not been publicly disclosed as of June 3, 2026, as the total amount drained remained undisclosed.","heading":"User Compensation and Service Recovery Plan","severity":"medium","sources":[{"credibility":2,"name":"Gnosis Pay security incident update: new accounts preloaded with equivalent funds - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605441417"},{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay - The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Gnosis Pay Exploit: Full User Reimbursement Promised - Blockonomi","type":"news_article","url":"https://blockonomi.com/gnosis-pay-exploit-full-user-reimbursement-promised-following-security-incident/"},{"credibility":2,"name":"Gnosis to Cover Losses After Gnosis Pay Delay-Module Exploit - The Coinomist","type":"news_article","url":"https://thecoinomist.com/news/gnosis-pay-delay-module-exploit-cover-losses/"}]},{"content":"The June 2026 Zodiac Delay Module exploit was not the first security incident connected to Gnosis Pay infrastructure. In late May 2026, a separate exploit targeting the SquidRouterModule drained approximately $3 million from 86 Gnosis Safe wallets on Ethereum and Base networks. All stolen tokens in that incident were swapped to DAI via attacker-controlled Uniswap v3 pools, as reported by blockchain security firm Blockaid. That incident was distinct from and predated the June 1 Delay Module exploit, and affected Safe wallets more broadly rather than Gnosis Pay cards specifically. The two incidents occurring in close succession raised scrutiny around Gnosis's module-based security architecture.","heading":"Prior Security Incidents","severity":"high","sources":[{"credibility":2,"name":"Blockaid detection of SquidRouterModule exploit draining 86 Gnosis Safes for ~$3M (X)","type":"on_chain","url":"https://x.com/blockaid_/status/2058875782810726556"},{"credibility":2,"name":"Exploit hits Gnosis Pay, TesseraDAO loses $2.5M - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605440181"},{"credibility":2,"name":"Gnosis Pay Hit with Module Attack - Bankless","type":"news_article","url":"https://www.bankless.com/gnosis-pay-hit-with-module-attack"}]},{"content":"Gnosis Pay's card is issued by Monavate Limited, which is authorized and regulated by the UK Financial Conduct Authority as an Electronic Money Institution under the Electronic Money Regulations 2011 (FRN: 901097). The card operates under a Visa Europe licence. The legal entity Gnosis Pay Co Ltd is incorporated as an active private limited company in England and Wales (Companies House number 14919639) since June 2023. The service is currently limited to European Economic Area residents. No regulatory enforcement actions against Gnosis Pay or its parent have been identified as of June 3, 2026.","heading":"Regulatory and Compliance Status","severity":"low","sources":[{"credibility":1,"name":"GNOSIS PAY CO LTD. overview - Companies House (UK)","type":"official","url":"https://find-and-update.company-information.service.gov.uk/company/14919639"},{"credibility":3,"name":"Gnosis Pay Compliance Profile - PayRate42","type":"other","url":"https://listings.ratex42.com/listings/gnosis-pay/"}]},{"content":"Following the public disclosure of the exploit on June 1, 2026, the GNO token experienced significant intraday volatility. GNO's price initially spiked to approximately $132.10 before reversing sharply to approximately $107.40, representing an intraday decline of approximately 7%. Market capitalization dropped to approximately $287.4 million at the low, while 24-hour trading volume surged approximately 1,043% to roughly $18.8 million. These figures reflect conditions reported on June 1, 2026, and are subject to subsequent change. The GNO token is the native governance and rewards token of the Gnosis ecosystem and is used for cashback on Gnosis Pay card transactions.","heading":"GNO Token Market Impact","severity":"medium","sources":[{"credibility":3,"name":"Gnosis Pay Hack Exposes Zodiac Delay Module Vulnerability - Cryip","type":"news_article","url":"https://cryip.co/gnosis-pay-hack-exposes-zodiac-delay-module-vulnerability-users-assured-full-reimbursement/"},{"credibility":2,"name":"Gnosis Pay Security Flaw Leads to Emergency User Alert - CryptoNewsZ","type":"news_article","url":"https://www.cryptonewsz.com/gnosis-pay-security-emergency-asset-withdrawal/"}]}],"sources_used":[{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay - The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":2,"name":"Gnosis Pay Pauses Bridge Following Active Zodiac Delay Module Exploit - CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/01/gnosis-pay-pauses-bridge-following-active-zodiac-delay-module-exploit/"},{"credibility":2,"name":"Gnosis Pay exploit tied to Zodiac delay module as users exit - Crypto.news","type":"news_article","url":"https://crypto.news/gnosis-pay-exploit-tied-to-zodiac-delay-module-as-users-exit/"},{"credibility":2,"name":"Gnosis Pay Faces Active Exploit Tied to Zodiac Delay Module - Crypto Economy","type":"news_article","url":"https://crypto-economy.com/gnosis-pay-faces-active-exploit-tied-to-zodiac/"},{"credibility":2,"name":"Gnosis to Cover Losses After Gnosis Pay Delay-Module Exploit - The Coinomist","type":"news_article","url":"https://thecoinomist.com/news/gnosis-pay-delay-module-exploit-cover-losses/"},{"credibility":2,"name":"Gnosis Pay Hit with Module Attack - Bankless","type":"news_article","url":"https://www.bankless.com/gnosis-pay-hit-with-module-attack"},{"credibility":2,"name":"Gnosis Pay Exploit: Full User Reimbursement Promised - Blockonomi","type":"news_article","url":"https://blockonomi.com/gnosis-pay-exploit-full-user-reimbursement-promised-following-security-incident/"},{"credibility":2,"name":"Gnosis Pay security incident update: new accounts preloaded with equivalent funds - Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605441417"},{"credibility":2,"name":"Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal - CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/01/gnosis-pay-exploit-withdrawal"},{"credibility":3,"name":"Gnosis Pay Hack Exposes Zodiac Delay Module Vulnerability - Cryip","type":"news_article","url":"https://cryip.co/gnosis-pay-hack-exposes-zodiac-delay-module-vulnerability-users-assured-full-reimbursement/"},{"credibility":2,"name":"Exploit hits Gnosis Pay, TesseraDAO loses $2.5M - Bitget News","type":"news_article","url":"https://www.bitget.com/amp/news/detail/12560605440181"},{"credibility":2,"name":"Blockaid detection of SquidRouterModule exploit draining 86 Gnosis Safes (X)","type":"on_chain","url":"https://x.com/blockaid_/status/2058875782810726556"},{"credibility":2,"name":"Monerium statement on the Gnosis Pay security incident (X)","type":"official","url":"https://x.com/monerium/status/2061409216854712394"},{"credibility":1,"name":"GNOSIS PAY CO LTD. overview - Companies House (UK)","type":"official","url":"https://find-and-update.company-information.service.gov.uk/company/14919639"},{"credibility":2,"name":"Gnosis Pay closes 2025 with $131M in card spending (official X post)","type":"official","url":"https://x.com/gnosispay/status/2006479272865591409"},{"credibility":2,"name":"Gnosis Pay Exploit: Team Confirms Full User Compensation - CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/44350-gnosis-pay-exploit-compensation"},{"credibility":2,"name":"Why Gnosis Pay Isn't Just Another Crypto Card - Decrypt","type":"news_article","url":"https://decrypt.co/283801/why-gnosis-pay-isnt-just-another-crypto-card"},{"credibility":1,"name":"Gnosis Lets Crypto Users Make Everyday Purchases From Wallets With Visa - CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2023/07/17/gnosis-lets-crypto-users-make-everyday-purchases-from-wallets-with-visa"},{"credibility":2,"name":"Gnosis Pay Co-Founder Says Losses Being Contained - Bloomingbit","type":"news_article","url":"https://en.bloomingbit.io/feed/news/113288"}],"summary":"Gnosis Pay is a self-custodial Visa debit card platform launched in 2023 that allows users to spend stablecoins such as EURe directly from Safe smart-contract wallets at over 80 million merchants globally. On June 1, 2026, an active exploit was discovered targeting a vulnerability in the Zodiac Delay Modifier v1.1.0 and Roles Modifier v2 modules used by Gnosis Pay, allowing attackers to bypass the platform's built-in three-minute transaction delay protection and drain funds from affected Safe wallets. Gnosis co-founder Martin Köppelmann committed to covering all user losses, and a phased service restoration with new card-linked Safe accounts was announced for affected users as of June 2, 2026.","timeline":[{"date":"2015-01-01","event":"Gnosis founded by Martin Köppelmann and Stefan George under ConsenSys, initially focused on prediction markets.","source":"Ten Years of Gnosis blog post - Gnosis.io","source_url":"https://www.gnosis.io/blog/ten-years-of-gnosis-from-prediction-markets-to-a-user-owned-open-finance-revolution"},{"date":"2023-06-07","event":"Gnosis Pay Co Ltd incorporated in England and Wales (Companies House number 14919639).","source":"Companies House (UK)","source_url":"https://find-and-update.company-information.service.gov.uk/company/14919639"},{"date":"2023-07-17","event":"Gnosis publicly unveils the Gnosis Pay self-custody Visa debit card, enabling users to spend stablecoins from Safe wallets at Visa-accepting merchants.","source":"Gnosis Lets Crypto Users Make Everyday Purchases From Wallets With Visa - CoinDesk","source_url":"https://www.coindesk.com/tech/2023/07/17/gnosis-lets-crypto-users-make-everyday-purchases-from-wallets-with-visa"},{"date":"2025-12-31","event":"Gnosis Pay reports $131 million in total card spending for 2025, with 1.6 million transactions processed.","source":"Gnosis Pay official X post","source_url":"https://x.com/gnosispay/status/2006479272865591409"},{"date":"2026-05-25","event":"Approximately $3 million drained from 86 Gnosis Safe wallets on Ethereum and Base via a separate SquidRouterModule exploit; all stolen tokens swapped to DAI via attacker-controlled Uniswap v3 pools.","source":"Blockaid detection report on X","source_url":"https://x.com/blockaid_/status/2058875782810726556"},{"date":"2026-06-01","event":"Active exploit discovered targeting Gnosis Pay's Zodiac Delay Modifier v1.1.0 and Roles Modifier v2. PeckShield detects the exploit. Martin Köppelmann publicly warns users and urges immediate withdrawal of EURe and GNO. Gnosis coordinates with bridge validators to pause all outbound bridge activity.","source":"Gnosis Pay Pauses Bridge Following Active Zodiac Delay Module Exploit - CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/01/gnosis-pay-pauses-bridge-following-active-zodiac-delay-module-exploit/"},{"date":"2026-06-01","event":"Köppelmann retracts initial withdrawal guidance, acknowledges most users cannot withdraw funds during the active exploit, and commits Gnosis to covering all user losses. GNO price falls approximately 7% intraday on elevated volume.","source":"Gnosis will cover all user losses - The Block","source_url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"date":"2026-06-02","event":"Gnosis declares the exploit fully contained. Recovery plan announced: all users to receive new card-linked Safe wallets; affected users' new accounts to be preloaded with pre-exploit balances. Phased service restoration planned beginning Wednesday evening (CEST).","source":"Gnosis Pay security incident update - Bitget News","source_url":"https://www.bitget.com/news/detail/12560605441417"},{"date":"2026-06-03","event":"Zodiac publicly discloses the technical details of the vulnerability, confirming the flaw in Roles Modifier v2 and Delay Modifier v1.1.0. Zodiac confirms Safe smart contracts and infrastructure were not affected. Over 95% of identifiable affected accounts have taken corrective action. Full post-mortem pending.","source":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected - CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"}]},"v":1}