Gnosis Pay, the self-custodial Visa debit card built on Gnosis Chain that lets users spend stablecoins directly from their own Safe wallets, was hit by an active exploit targeting the "delay module" that controls its card accounts, co-founder Martin Köppelmann said in a post on X on Monday.
Gnosis said it would cover any losses in full. "Rest assured, Gnosis will cover all user losses," Köppelmann said. The company has not said how much was taken or how many accounts were affected, and has not published a technical breakdown of the attack.
GNO, the token of the broader Gnosis ecosystem, traded around $118 on Monday, down about 2.8% over 24 hours even as the broader crypto market edged up roughly 0.8% over the same period, according to data from CoinGecko.
The breach strikes at the core promise of smart-contract-based payment cards. Gnosis Pay links a self-custodial wallet to the Visa network, so users keep control of their funds until the moment they spend. Because card accounts delegate spending authority to smart-contract modules, a flaw in one of those modules can move funds under permissions the user already granted.
What Köppelmann said
Köppelmann tied the incident to the delay module directly. The attacker "can initiate tx from Safes with such a delay module," he said in a post on X, adding that the team was taking steps to contain the damage, "like asking bridge validators to pause" to limit cross-chain transfers.
Gnosis Pay's official account confirmed the issue and initially urged users to act. "A bug related to the @gnosispay delay module has been discovered. We are investigating," the account said, telling users able to withdraw funds from their card to their wallet to do so, and that "affected users will be reimbursed."
Köppelmann then walked back that advice. He said he had deleted an earlier post telling users to withdraw, writing that "most users will not be able to do so, but we are actively working to contain the damage." He said Gnosis believed it could contain the majority of the losses and would "ensure that all users are made whole."
Blockchain security firm PeckShield also flagged the active exploit on Monday, advising Gnosis Pay users to check their exposure and withdraw their EURe and GNO where possible.
How the delay module works
Per Gnosis's own engineering write-up, Gnosis Pay card accounts run on Safe smart accounts fitted with two modules: a Roles Module that authorizes card payments, and a Delay Module that imposes a roughly three-minute wait before outgoing transactions execute. The delay is meant to give users a window to react before a transfer goes through. The modules are part of Zodiac, Gnosis's open-source toolset for Safe-based accounts.
Past Attack
The exploit follows a separate incident a week earlier, in which about $3 million was drained from 86 Safe wallets across Ethereum and Base, according to security firm Blockaid. That attack abused a third-party module called SquidRouterModule, which is unrelated to Gnosis Pay's Delay Module, and Squid said its protocol and users were not involved.
Gnosis said it is still investigating and will share further updates. The company has not committed to a timeline for a full post-mortem or for confirming the total amount at risk.