On June 1, 2026, the decentralized finance (DeFi) ecosystem was shaken as Gnosis Pay confirmed an active exploit targeting its Zodiac Delay Module, a critical security component designed to protect institutional-grade Safe wallets. Despite the breach involving highly sensitive “verification gates,” Gnosis co-founder Martin Köppelmann has issued a 100% reimbursement guarantee, marking a pivotal moment in protocol accountability as the industry recovers from a turbulent spring of infrastructure-level vulnerabilities.
By Priya Sharma | June 1, 2026
The Incident
The first alerts surfaced in the early hours of June 1, 2026, when security firm PeckShield identified anomalous outbound transactions originating from Gnosis Pay accounts. The suspicious activity was localized to wallets utilizing the Zodiac Delay Module, a secondary security layer intended to provide a mandatory time-buffer for all transactions. Martin Köppelmann, co-founder of Gnosis, quickly moved to social media to confirm the “active exploit,” initially urging all users to withdraw their EURe (Monerium Euro) and GNO holdings immediately.
As the situation escalated, the protocol transitioned into “containment mode.” This emergency response involved Gnosis requesting bridge validators to pause operations cross-chain, effectively trapping the attacker’s movements but also rendering many users unable to perform manual withdrawals. The incident follows a broader trend of “infrastructure fatigue” in the DeFi sector; only days prior, a separate $3.2 million exploit targeted the SquidRouterModule, though the Gnosis Pay team clarified that the current breach is fundamentally different, rooted in a core implementation flaw rather than a third-party bridge dependency.
Technical Post-Mortem
The technical core of the vulnerability lies within the Zodiac Delay Module‘s verification logic. In a standard Gnosis Safe environment, the Zodiac framework allows developers to add sophisticated logic to “Safes” without modifying the core contract. The Delay Module specifically acts as a “security backstop,” forcing a mandatory cooldown period between a transaction’s initiation and its final execution. This is designed to give DAO members or institutional security teams time to veto malicious or erroneous transactions.
According to preliminary analysis by on-chain researchers, the attacker discovered a bypass in the module’s “verification gates.” These gates are supposed to validate that a transaction has cleared the required delay and matches the original parameters. However, an implementation flaw allowed the attacker to effectively “reset” the timer or spoof the validation status, granting them the ability to initiate and finalize unauthorized transfers in a single block. Crucially, the core Gnosis Safe smart contracts—which secure billions in TVL across the Ethereum and Gnosis Chain ecosystems—remain unaffected. The flaw was isolated to the specific implementation of the Zodiac module used by Gnosis Pay to manage user card balances and treasury flows.
Governance Impact
The fallout from the Zodiac breach has sparked an immediate debate within the GnosisDAO regarding the risks of “module-heavy” security architectures. While the Zodiac framework is praised for its modularity, this incident highlights the “complexity penalty” that occurs when multiple security modules interact. In response, Gnosis leadership has taken an unprecedented stance on protocol liability. Köppelmann confirmed that the Gnosis treasury will cover 100% of user losses, ensuring that Gnosis Pay cardholders and Safe users are made whole.
This “Zero-Loss Recovery Model” is being viewed as a gold standard for DeFi accountability, especially as institutional adoption hinges on such guarantees. However, the governance decision to pause bridge validators has raised concerns about decentralization. While effective at stopping the attacker, the ability to “halt” value flow on-demand reminds the market of the trade-offs between absolute security and censorship resistance. The GnosisDAO is expected to vote on a permanent “Circuit Breaker” proposal later this month to formalize these emergency powers into a transparent, multi-sig controlled framework.
TVL Shifts
While the broader market remains relatively stable—with Bitcoin (BTC) trading at $71,455.00 and Ethereum (ETH) at $1,974.92—the specific impact on Gnosis Chain and its native assets has been pronounced. The “containment mode” has temporarily frozen significant portions of the EURe and GNO liquidity pools. Before the pause, analysts observed a rapid outflow of liquidity as sophisticated actors attempted to exit positions before the bridge shutdown.
- Gnosis Chain TVL — Early estimates suggest a temporary dip as users de-risk, though the 100% reimbursement pledge has prevented a total “run on the bank.”
- EURe Stability — As a regulated stablecoin backed by Monerium, the asset itself remains solvent, but its on-chain liquidity is currently fragmented.
- May Market Context — CertiK data released today shows that total crypto exploit losses in May 2026 fell to $68.3 million, a 90% drop from the $650 million lost in April. The Gnosis incident, however, threatens to reverse this downward trend for June.
Long-Term Prognosis
The Gnosis Pay incident is likely to accelerate the industry-wide shift toward “Deep Infrastructure Audits.” Following the $293 million Kelp DAO breach in April and the ongoing laundering of those funds—with $220 million recently moved through mixers—the DeFi sector is moving away from surface-level smart contract reviews. Protocols like Aave have already implemented new collateral evaluation frameworks that scrutinize bridge architectures and oracle dependencies with a level of rigor previously reserved for traditional banking software.
For Gnosis Pay, the path forward involves a complete refactoring of the Zodiac module stack. The protocol is expected to transition toward a Zero-Knowledge (ZK) verification model for its delay modules, where transaction validity can be mathematically proven without relying on complex, gate-based logic. Despite the temporary setback, the Gnosis brand may emerge stronger due to its decisive reimbursement policy. In a market where Solana (SOL) is trading at $80.19 and Chainlink (LINK) at $8.98, the ability to guarantee user safety during a technical failure is becoming the primary differentiator for “Blue Chip” DeFi protocols.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always do your own research before making any investment decisions.
the verification gate bypass is wild. you build a delay module specifically to add time for review and someone finds a way to skip the timer entirely. grim.
the delay module was supposed to be the last line of defense. if you can bypass the timer on a verification gate the whole multi-sig stack is theater
gnosis_sentry the delay module bypass is the scariest part. if the timer can be skipped its not a delay, its a suggestion
safe_guard_ exactly. calling it a delay module when the timer is bypassable is like having a deadbolt you can open from the outside with a paperclip
rekt_contractor the verification gate was supposed to add friction on purpose. removing the friction defeats the entire purpose of the module
Koppelmann stepping up with full reimbursement is huge. Most protocols would take the “code is law” escape hatch. Respect for taking the hit from treasury.
^^ exactly. $293M from Kelp DAO in April and they still havent recovered funds. Gnosis covering 100% day-of sets a bar.
Koppelmann committing to 100% reimbursement on day one is rare. Most founders go quiet for a week then offer 60% in governance tokens.
covering from treasury is the right move but lets see if its actually 100%. Kelp DAO promised full recovery too and that dragged on for months
Tomas H. Koppelmann said 100% from treasury on day one. Kelp DAO dragged on because they didnt have the treasury to cover it. Gnosis does
if the timer can be skipped on a delay module then its just a conditional check with a sleep() call. thats not security architecture