Gnosis is working to contain an exploit Monday affecting its Gnosis Pay product after co-founder Martin Köppelmann acknowledged an active hack involving the system’s delay module and said the project would cover user losses.
Köppelmann initially urged users to withdraw funds, a warning quickly amplified by blockchain security firm PeckShield, which said users were strongly advised to withdraw all funds (EURe and GNO) and check exposure.
The Gnosis co-founder later withdrew that advice, however, and deleted the initial tweet, saying that most users would not be able to withdraw their funds. He reiterated that the Gnosis team is “actively working to contain the damage” and will make users whole.
Gnosis is a long-running Ethereum project best known for its smart contract wallet infrastructure and Gnosis Chain, an Ethereum Virtual Machine (EVM)-compatible network used for payments and decentralized finance.
The shifting guidance leaves key questions unanswered, including how much has been stolen, which contracts or users are affected, and whether the issue stems from the Zodiac delay module itself, its configuration within Gnosis Pay, or a broader architectural flaw.
Gnosis co-founder pledges to make users whole. Source: Koeppelmann
Cointelegraph reached out to Gnosis and Gnosis Pay for comment, but had not received a response by publication.
Former Near protocol core developer Vadim Zacodil said Gnosis Pay’s design routes user self-custody through a shared “delay” layer that queues outgoing transactions from many Safes at once, so a bug or exploit there can push malicious withdrawals into thousands of users’ queues simultaneously, even though individual keys never move.
In practice, he argued, what is protecting users in this incident is less the self-custodial Safe accounts and more Gnosis’s ability to pause infrastructure and commit treasury funds to cover losses.
Incident follows third-party Safe module exploit
The incident comes just days after a separate exploit involving a third-party module connected to Safe, the smart contract wallet infrastructure originally incubated within the Gnosis ecosystem and now developed by Safe Labs.
In that case, a SquidRouterModule contract interacting with Safe wallets was abused to drain about $3.2 million from roughly 86 Safes across Ethereum and Base, prompting both Safe Labs and Squid to say the vulnerability lay outside their core protocols.
It also comes after a month of reduced crypto exploit losses on the whole. Data from CertiK posted Sunday showed total losses fell to about $68.3 million in May, a roughly 90% decline from April, marking the third month this year with losses below $100 million.