Connect with us

FINANCE

Gnosis Pay Refunds Every User After $1.8M Zodiac Exploit

Gnosis Pay has reimbursed every one of the 5,281 wallets hit by a June 1 Zodiac delay module exploit that drained $1.5M and froze $300K.

Published

on

Gnosis Pay has reimbursed every one of the 5,281 wallets hit by a June 1 exploit of its Zodiac delay module. The self-custodial crypto Visa card provider drained about $1.5 million and froze roughly $300,000 more in the incident. It published a detailed post-mortem on Friday, July 3, confirming the full reimbursement pledge co-founder Martin Köppelmann had made the day of the attack.

The exploit abused a missing success check in a signature verification routine. Gnosis’s own engineering team introduced that check to Zodiac version 3.4.0 on October 30, 2023. The bug entered production that day and stayed there until an attacker walked withdrawals through it across multiple victims on June 1, 2026.

How the Breach Played Out

  • 5,281 wallets affected
  • $1.5M extracted by the attacker
  • ~$300K rendered inaccessible
  • 06:17 UTC, June 1 first unauthorized transfer
  • 08:06 UTC, June 1 root cause identified

Treasury manager NOCA’s monitoring infrastructure flagged the first large unauthorized transfer at 06:17 UTC on June 1, 2026. Gnosis Pay initiated its emergency response within minutes and identified the root cause in the Zodiac modules by 08:06 UTC, a little under two hours after the alert. The incident response team paused card transaction processing, authorization systems, and new user onboarding while engineers paused the bridge to Gnosis Chain by asking bridge validators to stop it.

The attack exploited two software modules Gnosis Pay uses to govern its card accounts: the Roles Module, which authorizes card payments, and the Delay Module, which imposes a roughly three-minute wait before outgoing transactions execute. The three-minute delay is meant to give users a window to react before a transfer goes through. It did not give the attacker enough friction to stop.

Köppelmann disclosed the incident in a post on X the same day, writing that the attacker was able to initiate transactions from Safes fitted with the delay module. The company’s own account initially urged affected users able to withdraw to do so, then walked that advice back after Köppelmann said most users could not. Blockchain security firm PeckShield separately flagged the active exploit, advising Gnosis Pay users to check their exposure and withdraw their EURe and GNO where possible. Gnosis Pay told stablecoin issuers about the attacker-linked addresses to help isolate any assets that could be flagged, and the leadership notified other projects that might have been exposed to the same vulnerability.

The Bug That Lived in Zodiac Since October 2023

Gnosis’s post-mortem with timeline and token-by-token loss breakdown traces the vulnerability to commit 9a9e380, which added EIP-1271 signature support to Zodiac version 3.4.0 on October 30, 2023. The change let Gnosis Pay accounts confirm a withdrawal request via a signature check. That signature check asked the account’s contract a yes-or-no question, then read only the first four bytes of the answer.

The check never verified that the underlying call had succeeded. The code treated any return value whose first four bytes matched the ERC-1271 magic value as a valid signature, even if the contract had reverted. An attacker could deploy a contract that fails on purpose while still returning the magic bytes, and the account would treat the result as a real approval. To the Gnosis Pay account, a forged approval looked just like the user’s. That let the attacker queue withdrawals from accounts they did not own, and the Delay Module then executed those queued withdrawals during its three-minute window.

The fix is one line. Also require the call to succeed. Gnosis Pay’s post-mortem prints the buggy version and the patched version side by side. A signature patch was flagged as a security fix by the Zodiac team on June 5, 2026, days after the exploit began.

Why the missing check was not caught earlier is what Gnosis says it is now answering, with a full internal review of onchain and offchain systems underway and an independent holistic security assessment being run by an external firm. The post-mortem explicitly notified other projects that might still be running the same vulnerable build.

The $1.8 Million, Broken Down by Token

Gnosis Pay puts the total loss at about $1.8 million across 5,281 wallets with a balance of at least $1 at the time of the attack. Of that, roughly $1.5 million was extracted by the attacker and another ~$300,000 was rendered inaccessible in wallets the team is still working to recover. The attacker’s haul was concentrated in three tokens. The asset breakdown published with the post-mortem totals about $1,496,151 across eight tokens, with GNO, EURe, and USDC.e together accounting for roughly $1,493,455 of the take.

  • GNO: 641,159
  • EURe: 453,175
  • USDC.e: 399,121
  • SAFE: 2,202
  • WETH: 323
  • xDAI: 135
  • USDC: 28
  • USDT: 7

Containment, Refunds, and Service Restoration

Rest assured, Gnosis will cover all user losses.

That was Gnosis co-founder Martin Köppelmann, writing on X on June 1, 2026, the day of the attack. The post-mortem confirms the pledge was kept: Gnosis absorbed the losses and all funds were restored to users. No users lost funds in the exploit.

The first accounts were reactivated on the evening of Wednesday, June 3, with balance restoration, card re-enabling, and the resumption of normal operations. ChainSecurity, the external auditor Gnosis Pay engaged for a focused review, completed its work on June 4. Between June 4 and June 7, the company deployed newly engineered card safe modules in tranches, linking each user to their existing profile.

  1. June 1, 06:17 UTC: NOCA flags the first large unauthorized transfer.
  2. June 1, 08:06 UTC: Root cause identified in the Zodiac modules.
  3. June 3, evening: First accounts reactivated; balance restoration and card re-enabling begin.
  4. June 4: ChainSecurity completes the focused review of the patched modules.
  5. June 4 to 7: Newly engineered card safe modules deployed in tranches.
  6. June 5: Zodiac team flags the signature patch as a security fix.
  7. June 6: Full services restored to 99% of users.

By June 6, 2026, Gnosis Pay had restored full services to 99% of users. The remaining accounts were restored early the following week. The company also established an emergency fund for users in extremis, available alongside the standard restoration. Recovery work continues on the roughly $300,000 currently locked in inaccessible accounts, and Gnosis Pay said it is still exploring options for those funds.

What Gnosis Is Changing Before the v2 Launch

The post-mortem lists five concrete actions underway. First, Gnosis Pay is growing its security team and bringing in external researchers to work alongside them, adding dedicated capacity. Second, it is conducting a full internal review of onchain and offchain systems: smart contracts, infrastructure, processes, and the dependencies it relies on. Third, it is completing an independent holistic security assessment with an external security firm. Fourth, it has widened its audit scope to cover external contracts it depends on, not just its own. Fifth, it is actively monitoring upstream dependencies, with a clear process to review and act on upstream security fixes quickly.

Below those five items is the bigger structural change. Gnosis Pay says it has recently completed a full rebuild of the Gnosis Pay product, internally called v2. The rebuild is optimized for observability and streamlined operations. The team says the new architecture gives it faster detection and faster response on the next incident.

Gnosis has not committed to a launch date for v2 in the post-mortem. The new product is positioned as the platform’s defensive next step. It also addresses a structural risk the original system carried: any bug in a third-party module, like the Delay Module, can move funds under permissions the user already granted. That design promise is now being rebuilt with monitoring built into the product itself. The July 3 statement confirming all affected balances were restored is the company’s first public confirmation that the rebuild path is committed.

What Other Projects Built on Zodiac Should Check Now

Gnosis Pay’s post-mortem explicitly notified external projects that might be exposed to the same vulnerability. Any team running a Safe wallet with the Delay Module and Roles Module from Zodiac version 3.4.0 should review their own configuration. The signature patch flagged by the Zodiac team on June 5, 2026 is the relevant fix.

For affected projects, three checks matter. First, confirm the deployed bytecode matches the patched signature verification, not the version from commit 9a9e380. Second, audit any custom module that calls into the Delay Module for the same missing success check. Third, treat the bridge to Gnosis Chain as sensitive in any wallet path that touches the Delay Module. The wider lesson from a bug that entered production on October 30, 2023 is that legacy module dependencies are part of the security perimeter, not separate from it.

Frequently Asked Questions

What assets did the Gnosis Pay attacker take?

Per Gnosis’s post-mortem, the attacker’s take broke down as GNO 641,159; EURe 453,175; USDC.e 399,121; SAFE 2,202; WETH 323; xDAI 135; USDC 28; and USDT 7. That totals about $1,496,151 in extracted assets across 5,281 wallets with balances of at least $1.

Did Gnosis Pay users lose any money?

No. The post-mortem states Gnosis absorbed the full loss and that no users lost funds in the exploit. Roughly $1.5 million extracted by the attacker and another ~$300,000 rendered inaccessible were both covered by Gnosis Pay.

How can users check if their Gnosis Pay wallet was affected?

The post-mortem identifies the initial exploit contract address as 0x5a77953caa27ed4638f4dfdc665b8064d0e97a35. Users can check any interaction with that contract on-chain through their wallet’s transaction history.

Is the Gnosis Pay vulnerability fixed?

Yes. The signature patch was flagged as a security fix by the Zodiac team on June 5, 2026. Gnosis Pay deployed newly engineered card safe modules between June 4 and June 7, and full services were restored to 99% of users by June 6, with the remainder restored early the following week.

Can Gnosis Pay users spend and withdraw normally now?

Yes. The post-mortem states that Gnosis Pay absorbed the losses and all funds were restored to users. The company is still working on recovery options for the roughly $300,000 currently locked in inaccessible accounts.

Disclaimer: Cryptoassets are volatile and self-custodial payment products carry technical risk. The figures in this article are accurate as of Gnosis Pay’s July 3, 2026 post-mortem and may change as recovery efforts continue. This article is informational only and not financial advice. Consult a qualified professional before making decisions involving cryptoassets.

As the founder of Thunder Tiger Europe Media, Dr. Elias Thornwood brings over 25 years of experience in international journalism, having reported from conflict zones in the Middle East, Asia, and Africa for outlets like BBC World and Reuters. With a PhD in International Relations from Oxford University, his expertise lies in geopolitical analysis and global diplomacy. Elias has authored two bestselling books on European foreign policy and received the Pulitzer Prize for International Reporting in 2015, establishing his authoritativeness in the field. Committed to trustworthiness, he enforces rigorous fact-checking protocols at Thunder Tiger, ensuring unbiased, evidence-based coverage of worldwide news to empower informed global audiences.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending