Gnosis Pay Exploit Hits Delay Module, Founder Promises Full Refund

Gnosis Pay, the payment infrastructure tied to the Ethereum-based Gnosis ecosystem, is grappling with an exploit targeting its Delay Module. Co-founder Martin Köppelmann confirmed the hack on June 1, 2026, initially urging users to withdraw affected funds in EURe and GNO tokens. However, he later retracted the withdrawal recommendation, acknowledging that most users would be unable to retrieve funds due to the exploit’s nature. Köppelmann assured users that Gnosis would fully cover any financial losses incurred.

The delay module, a key part of Gnosis Pay's design, queues outgoing transactions for three minutes to ensure settlement accuracy and prevent immediate unauthorized withdrawals. According to former Near Protocol developer Vadim Zacodil, the module’s shared queuing layer, which processes transactions for multiple users simultaneously, was likely the source of the vulnerability. This setup means a single exploit could compromise thousands of user accounts at once, despite the self-custodial nature of individual Safe wallets.

This incident raises fresh security concerns, coming less than a week after a separate exploit on May 25, 2026, drained $3.2 million from 86 Safe wallets. That attack, involving a rogue third-party module called SquidRouterModule, highlighted the risks of integrating unverified modules into Safe wallets. While the Gnosis Safe core protocol was not compromised, the rapid succession of these events has cast a spotlight on module governance and execution risks within the ecosystem.

Unanswered Questions and Market Impact

Key details about the current exploit remain unclear, including the total amount stolen, the specific contracts affected, and whether the vulnerability lies in the Delay Module itself or its configuration within Gnosis Pay. Limited communication from Gnosis as of publication has left users and analysts in the dark regarding the exploit’s full scope.

Security firm PeckShield, which amplified Köppelmann’s initial withdrawal warning, has yet to release a detailed post-mortem. Meanwhile, Gnosis’s ability to pause infrastructure and commit treasury funds to reimburse users provides some damage control, but it also underscores the dependency on centralized responses in ostensibly decentralized systems.

DeFi Security Lessons and Broader Trends

The timing of the Gnosis Pay exploit coincides with a broader trend of reduced crypto losses from hacks. Data from CertiK indicates that May 2026 saw total crypto exploit losses fall to $68.3 million, a sharp 90% drop from April and one of the lowest monthly totals of the year. However, the recent string of module-related hacks targeting Gnosis-affiliated products highlights a persistent vulnerability in the DeFi space: the security of modular smart contract systems.

Gnosis Pay accounts rely on two primary modules: the Delay Module, which enforces the three-minute transaction queue, and the Roles Module, which sets programmable transaction limits. While these features enhance functionality, they also introduce additional attack vectors. The May 25 and June 1 incidents demonstrate how even modules designed to enhance security can become liabilities if exploited.

For traders and DeFi participants, the Gnosis Pay incident underscores the importance of scrutinizing wallet configurations, especially when third-party modules are involved. The focus on maintaining user trust will likely lead to increased scrutiny of module verification processes across the Gnosis ecosystem and beyond.

As the Gnosis team works to contain the current exploit and compensate users, the incident serves as a reminder of the evolving risks in decentralized finance. Until more robust safeguards are implemented, the balance between innovation and security will remain precarious.