Team Commits to User Reimbursement Following Gnosis Pay Delay Module Security Breach
An ongoing security breach targeting Gnosis Pay's delay module prompts co-founder Martin Köppelmann to retract initial fund withdrawal advisories while committing to full compensation for impacted users.
The Gnosis team is actively working Monday to mitigate a security breach affecting its Gnosis Pay platform following co-founder Martin Köppelmann's confirmation of an ongoing attack targeting the delay module component, with commitments to reimburse all affected users for their losses.
In initial communications, Köppelmann advised users to immediately withdraw their assets, a recommendation that was swiftly echoed by blockchain security company PeckShield, which emphasized that users should strongly consider withdrawing all assets (EURe and GNO) and verify their exposure levels.
However, the Gnosis co-founder subsequently reversed that guidance and removed the original tweet, explaining that the majority of users would find themselves unable to complete fund withdrawals. He emphasized that the Gnosis development team is "actively working to contain the damage" and committed to ensuring users are made whole.
As an established Ethereum-based project, Gnosis has built its reputation primarily on smart contract wallet infrastructure and the development of Gnosis Chain, a network compatible with the Ethereum Virtual Machine (EVM) that facilitates payments and decentralized finance operations.
The evolving and contradictory guidance has resulted in several critical questions remaining without answers, such as the total amount of funds compromised, which specific contracts or user accounts have been impacted, and whether the vulnerability originates from the Zodiac delay module's core code, its implementation within the Gnosis Pay framework, or represents a more fundamental architectural vulnerability.
Cointelegraph contacted both Gnosis and Gnosis Pay representatives for official statements, but no response had been received at the time of publication.
Vadim Zacodil, who previously served as a core developer for the Near protocol, explained that Gnosis Pay's architectural design channels user self-custody transactions through a collective "delay" mechanism that queues outbound transactions from numerous Safes simultaneously, meaning that a vulnerability or exploit affecting this layer can inject malicious withdrawal requests into the queues of thousands of users at the same time, despite individual private keys remaining secure and unmoved.
According to his analysis, what is actually safeguarding users in this particular incident is not primarily the self-custodial nature of Safe accounts, but rather Gnosis's capacity to halt infrastructure operations and allocate treasury resources to compensate for the losses incurred.
Incident follows third-party Safe module exploit
This security incident occurs merely days following another separate exploitation event involving a third-party module that connected to Safe, the smart contract wallet infrastructure that was initially incubated as part of the Gnosis ecosystem and is currently maintained and developed by Safe Labs.
In the earlier incident, a SquidRouterModule contract that interfaced with Safe wallets was exploited to siphon approximately $3.2 million from around 86 Safe wallets distributed across the Ethereum and Base networks, leading both Safe Labs and Squid to assert that the security weakness existed outside the boundaries of their core protocol implementations.
Additionally, this incident follows a month that saw substantially reduced cryptocurrency exploit losses overall. Information released by CertiK on Sunday indicated that total losses declined to approximately $68.3 million throughout May, representing a roughly 90% reduction compared to April's figures, and marking the third month during this year where losses remained under the $100 million threshold.