Verify a decision

{"actor":"system:backfill","investigation_id":"e198003e-9540-4950-a4cc-3868bcd92ce3","kind":"publish","page_slug":"gnosis-pay-zodiac-delay-module-exploit","published_at":"2026-06-09T02:53:24.942Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Gnosis Pay Zodiac Delay Module Exploit","sections":[{"content":"On June 1, 2026, an active exploit was detected targeting Gnosis Pay user accounts through a vulnerability in the Zodiac Delay Module, a third-party smart contract add-on used within Gnosis Pay's Safe-based account infrastructure. The exploit was first flagged publicly by blockchain security firm PeckShield, with Gnosis co-founder Martin Köppelmann confirming the incident on X (formerly Twitter) and urging users to withdraw EURe and GNO funds. Köppelmann subsequently deleted the withdrawal advisory, acknowledging that most users would be unable to execute manual withdrawals in time. Gnosis asked bridge validators to pause related bridge activity to limit cross-chain movement of potentially stolen funds. Gnosis confirmed it would cover all user losses in full.","heading":"Incident Overview","severity":"high","sources":[{"credibility":2,"name":"Gnosis Pay Pauses Bridge Following Active Zodiac Delay Module Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/01/gnosis-pay-pauses-bridge-following-active-zodiac-delay-module-exploit/"},{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay, co-founder Koppelmann says — The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal of GNO and EURe — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/01/gnosis-pay-exploit-withdrawal"}]},{"content":"The vulnerability resided in two Zodiac smart contract modules: Roles Modifier v2 and Delay Modifier v1.1.0. According to a disclosure by the Zodiac team, the flaw only affected accounts where either of these modules was enabled and where a Safe account using a vulnerable fallback handler had been assigned as a module or role member. CertiK's post-incident analysis identified the root cause as a signature-verification flaw in the Delay module's moduleTxSignedBy() function, specifically in how it parsed r, s, and v values from msg.data calldata. Beginning May 29, 2026 — two days before the exploit — the attacker deployed 41 specialized attack contracts engineered to always return the EIP-1271 magic value when called via isValidSignature(), effectively impersonating legitimate signers without providing valid cryptographic proof. On June 1 at approximately 5:26 AM UTC, the attacker called Delay.execTransactionFromModule() to queue transactions, and after the mandatory cooldown elapsed at approximately 5:57 AM UTC, executed those queued transactions to drain victim wallets. The Zodiac team and Safe Labs both confirmed that Safe core smart contracts, Safe{Wallet} infrastructure, account recovery systems, and the Safe user interface were not affected.","heading":"Technical Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":2,"name":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","type":"research","url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"}]},{"content":"CertiK estimated total losses at approximately $265,000 in EURe and GNO tokens, affecting 41 Gnosis Safe accounts. The primary exploit wallet (0x81BA8A2b895D30280bca199C2Ff75f3F058d4C6c) bridged approximately $246,000 in USDT from Ethereum to the Hyperliquid network. Funds were subsequently routed to a secondary address (0xb1834575349c6eb56675c35b4109c3d3a77dd2fc), where portions were converted to Monero (XMR), a privacy-focused cryptocurrency. As of the time of reporting, Gnosis had not officially confirmed the total loss figure, and no comprehensive on-chain breakdown from Gnosis itself had been published. The $265,000 figure is sourced from CertiK's independent analysis and should be treated as an estimate pending official disclosure.","heading":"Financial Impact and On-Chain Activity","severity":"high","sources":[{"credibility":2,"name":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","type":"research","url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"credibility":2,"name":"Exploit hits Gnosis Pay, TesseraDAO loses $2.5M as June hacks start to climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"}]},{"content":"Gnosis co-founder Martin Köppelmann publicly committed that Gnosis would cover all user losses in full. All affected users received replacement Safe accounts linked to their existing physical and virtual Gnosis Pay cards with balances restored to pre-exploit levels. Users were required to update deposit addresses in the Gnosis Pay app, as any funds sent to old Safe addresses would be permanently lost. By June 7, 2026, Gnosis Pay announced that card services had been restored for over 99% of users. The Zodiac team stated that more than 95% of identifiable affected accounts had already undergone corrective action before public disclosure of the vulnerability. A full post-mortem was described as pending at the time of reporting, with Zodiac committing to publish it upon completion of the investigation.","heading":"Remediation and Service Restoration","severity":"medium","sources":[{"credibility":2,"name":"Gnosis Pay Restores Card Services for 99% of Users After Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/07/gnosis-pay-restores-card-services-for-99-of-users-after-exploit/"},{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay, co-founder Koppelmann says — The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"}]},{"content":"Several material facts remained undisclosed as of the most recent reporting on June 7, 2026. Gnosis has not officially confirmed the total financial losses attributable to the exploit; the $265,000 figure is derived from CertiK's independent blockchain analysis. The exact number of user accounts affected has not been confirmed in official communications from Gnosis. A comprehensive technical post-mortem had not been published as of the reporting date. It also remains unclear whether the reimbursement was completed or remained pending at the time of the June 7 service restoration announcement.","heading":"Scope Limitations and Undisclosed Information","severity":"medium","sources":[{"credibility":2,"name":"Gnosis Pay Exploit: Team Confirms Full User Compensation as Investigation Unfolds — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/44350-gnosis-pay-exploit-compensation"},{"credibility":2,"name":"Gnosis Pay Restores Card Services for 99% of Users After Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/07/gnosis-pay-restores-card-services-for-99-of-users-after-exploit/"}]},{"content":"Gnosis Pay is a crypto payment product that links users' Gnosis Chain Safe smart-contract wallets to Visa-branded debit cards, enabling spending of EURe and GNO. The Zodiac framework is a modular suite of smart contract extensions for Safe accounts, developed as a separate open-source project within the Gnosis ecosystem. The Delay Modifier and Roles Modifier are optional add-on modules, not part of Safe's core architecture. Safe Labs explicitly confirmed that Safe core smart contracts and Safe{Wallet} infrastructure were not implicated in the exploit. The incident was classified by observers as a targeted attack on a specific module configuration rather than a systemic compromise of the Gnosis or Safe ecosystems at large.","heading":"Context: Gnosis Pay and Safe Infrastructure","severity":"low","sources":[{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":2,"name":"Gnosis Pay exploit tied to Zodiac delay module as users exit — crypto.news","type":"news_article","url":"https://crypto.news/gnosis-pay-exploit-tied-to-zodiac-delay-module-as-users-exit/"}]}],"sources_used":[{"credibility":1,"name":"Gnosis will cover all user losses amid exploit related to Gnosis Pay, co-founder Koppelmann says — The Block","type":"news_article","url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"credibility":2,"name":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"credibility":2,"name":"Gnosis Pay Restores Card Services for 99% of Users After Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/07/gnosis-pay-restores-card-services-for-99-of-users-after-exploit/"},{"credibility":2,"name":"Gnosis Pay Pauses Bridge Following Active Zodiac Delay Module Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/01/gnosis-pay-pauses-bridge-following-active-zodiac-delay-module-exploit/"},{"credibility":2,"name":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","type":"research","url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"credibility":2,"name":"Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal of GNO and EURe — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/01/gnosis-pay-exploit-withdrawal"},{"credibility":2,"name":"Gnosis Pay exploit tied to Zodiac delay module as users exit — crypto.news","type":"news_article","url":"https://crypto.news/gnosis-pay-exploit-tied-to-zodiac-delay-module-as-users-exit/"},{"credibility":2,"name":"Exploit hits Gnosis Pay, TesseraDAO loses $2.5M as June hacks start to climb — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/exploit-hits-gnosis-pay-tesseradao-june/"},{"credibility":2,"name":"Gnosis Pay Exploit: Team Confirms Full User Compensation as Investigation Unfolds — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/44350-gnosis-pay-exploit-compensation"},{"credibility":2,"name":"Gnosis Pay Hit by Delay Module Exploit as Gnosis Pledges to Cover User Losses — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/gnosis-pay-hit-by-delay-module-exploit-as-gnosis-pledges-to-cover-user-losses"},{"credibility":2,"name":"Gnosis to Cover Losses After Gnosis Pay Delay-Module Exploit — The Coinomist","type":"news_article","url":"https://thecoinomist.com/news/gnosis-pay-delay-module-exploit-cover-losses/"}],"summary":"On June 1, 2026, Gnosis Pay's Zodiac Delay Module — a third-party smart contract add-on designed to impose mandatory waiting periods on outgoing Safe transactions — was exploited via a signature-verification flaw in the Delay Modifier v1.1.0 and Roles Modifier v2. Blockchain security firm CertiK estimated losses at approximately $265,000 affecting 41 Gnosis Safes, with stolen funds partially bridged to Hyperliquid and converted to Monero. Gnosis co-founder Martin Köppelmann publicly pledged full reimbursement for all affected users, card services were restored for over 99% of users by June 7, and Safe core contracts were confirmed unaffected.","timeline":[{"date":"2026-05-29","event":"Attacker deployed 41 specialized smart contracts engineered to return the EIP-1271 magic value unconditionally, laying groundwork for the exploit.","source":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"date":"2026-06-01","event":"At approximately 5:26 AM UTC, the attacker called Delay.execTransactionFromModule() to queue malicious transactions across 41 affected Gnosis Safes.","source":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"date":"2026-06-01","event":"At approximately 5:57 AM UTC, after the mandatory cooldown expired, the attacker executed the queued transactions and drained victim wallets. Estimated loss: ~$265,000 in EURe and GNO.","source":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"date":"2026-06-01","event":"PeckShield publicly flagged the active exploit. Gnosis co-founder Martin Köppelmann posted an advisory on X urging users to withdraw EURe and GNO immediately.","source":"Gnosis Pay Under Active Exploit: Co-Founder Urges Immediate Withdrawal — CoinAlertNews","source_url":"https://coinalertnews.com/news/2026/06/01/gnosis-pay-exploit-withdrawal"},{"date":"2026-06-01","event":"Köppelmann deleted the withdrawal advisory and issued a revised statement pledging that Gnosis would cover all user losses. Gnosis requested bridge validators pause activity to contain fund movement.","source":"Gnosis will cover all user losses — The Block","source_url":"https://www.theblock.co/post/403147/gnosis-will-cover-all-user-losses-amid-exploit-related-to-gnosis-pay-co-founder-koppelmann-says"},{"date":"2026-06-01","event":"Primary exploit wallet (0x81BA8A2b895D30280bca199C2Ff75f3F058d4C6c) bridged approximately $246,000 in USDT from Ethereum to Hyperliquid. Funds subsequently routed to a secondary address and partially converted to Monero.","source":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"date":"2026-06-03","event":"Zodiac published a disclosure identifying Roles Modifier v2 and Delay Modifier v1.1.0 as the affected components via a vulnerable fallback handler. Safe Labs confirmed Safe core contracts were unaffected.","source":"Zodiac Reveals Flaw Behind Gnosis Pay Exploit, Safe Unaffected — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/03/zodiac-reveals-flaw-behind-gnosis-pay-exploit-safe-unaffected/"},{"date":"2026-06-05","event":"CertiK published an independent on-chain analysis estimating total losses at approximately $265,000 across 41 compromised Gnosis Safes, and detailing the moduleTxSignedBy() signature-verification flaw.","source":"Delay Module Trick Costs GnosisPay $265K, Reports CertiK — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/05/delay-module-trick-costs-gnosispay-265k-reports-certik/"},{"date":"2026-06-07","event":"Gnosis Pay announced card services had been restored for over 99% of users. All affected accounts received replacement Safe accounts linked to existing cards with balances restored.","source":"Gnosis Pay Restores Card Services for 99% of Users After Exploit — CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/07/gnosis-pay-restores-card-services-for-99-of-users-after-exploit/"}]},"v":1}