Gnosis Pay suffered an active exploit on June 1 after attackers targeted the Zodiac Delay Module, a contract component used to hold outgoing transactions before execution. The breach turned a safety feature into the attack surface, forcing Gnosis to contain activity while promising to reimburse affected users.

The delay module is meant to give users a short window to detect and react to suspicious transfers from Pay Safe wallets. In this case, the attacker was able to initiate transactions from Safes using the affected module, even though the core Safe contracts and individual private keys were not described as compromised. That distinction matters because modular wallet architecture can fail outside the core wallet layer.

Deleted an earlier tweet that asked users to withdraw funds. Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole.

— koeppelmann (@koeppelmann) June 1, 2026

Shared Queues Create Systemic Wallet Risk

The technical concern centers on the module’s queuing design. Former Near Protocol developer Vadim Zacodil said Gnosis Pay routes self-custody through a shared delay layer that queues outgoing transactions for many Safes at once. A flaw in that shared layer can affect multiple wallets simultaneously, even when each user still technically controls their own account.

Martin Köppelmann initially urged users to withdraw EURe and GNO, a warning also amplified by PeckShield. That guidance was later withdrawn after Gnosis concluded most users would not be able to exit immediately. The response shifted from user withdrawal to centralized containment, including requests for bridge validators to pause related activity.

#PeckShieldAlert @koeppelmann has alerted that there is an active exploit related to @gnosispay.

Users are strongly urged to withdraw all funds (EURe and GNO). Please check your exposure, as you may be affected. https://t.co/jiH3okIhLH

— PeckShieldAlert (@PeckShieldAlert) June 1, 2026

Köppelmann then said Gnosis would cover user losses and that the team believed it could contain most of the damage. The total value stolen and the number of affected accounts had not been disclosed, leaving the market to wait for a full technical post-mortem and loss accounting.

Recent Safe-Module Incidents Raise the Stakes

The Gnosis Pay incident follows another module-related Safe wallet exploit from May 25, when a third-party SquidRouterModule drained about $3.2 million from 86 Safes across Ethereum and Base. Together, the episodes point to recurring risk in wallet extensions and delegated execution paths, not only in core protocol contracts.

For traders and institutional users, the immediate lesson is operational. Smart-account security depends on enabled modules, permissions, relayers, queues and routing logic as much as on private-key custody. A wallet can remain cryptographically intact while still being exposed through approved contract components.

For Gnosis, reimbursement can limit the immediate user impact, but it will not settle the broader infrastructure question. The long-term test is whether the post-mortem produces code-level fixes, module-governance changes and clearer emergency procedures for products built on composable wallet stacks.

The incident is likely to accelerate internal audits of Safe modules, delay mechanisms and transaction-routing permissions across DeFi products. Any system that shares execution logic across many users now needs stronger isolation, verification and monitoring, especially where a single module can move funds from multiple accounts.