The Gnosis Pay protocol has been facing an active exploit in its infrastructure since June 1, 2026, centered on the component that manages transaction queues. Project co-founder Martin Köppelmann communicated via an official social media post that the team is working to contain the breach and assured that the treasury will cover the generated losses for affected users, after retracting an initial recommendation regarding the manual extraction of assets.
Deleted an earlier tweet that asked users to withdraw funds. Most users will not be able to do so, but we are actively working to contain the damage. We believe we can contain the majority of it, and in any case, we will ensure that all users are made whole.
— koeppelmann (@koeppelmann) June 1, 2026
During the early hours of the incident, Köppelmann urged clients to withdraw their balances immediately. This alert was amplified by the blockchain security firm PeckShield, which issued an urgent notice to extract the assets linked to the EURe stablecoins and the GNO token from the associated wallets.
Hours later, the executive deleted his initial message after identifying that the system’s architecture prevented the majority of users from executing direct extractions during the development of the attack, requiring a shift in strategy toward protocol-level containment.
#PeckShieldAlert @koeppelmann has alerted that there is an active exploit related to @gnosispay.
— PeckShieldAlert (@PeckShieldAlert) June 1, 2026
Users are strongly urged to withdraw all funds (EURe and GNO). Please check your exposure, as you may be affected. https://t.co/jiH3okIhLH
Gnosis Pay operates on a smart contract account infrastructure and is linked to Gnosis Chain, an Ethereum Virtual Machine (EVM)-compatible network. Gnosis Chain is a network designed to process operations with reduced transactional costs and facilitate the deployment of payment infrastructure. The current vulnerability lies in a shared layer known as delay module. This component acts as a security mechanism configured to establish a predetermined time window between a withdrawal request and its final execution on the blockchain, allowing intervention in emergency cases.
According to the technical assessment of Vadim Zacodil, former core developer of the Near protocol, the operational design of Gnosis Pay routes users’ self-custody through this shared transaction queue. Upon the occurrence of a logic flaw in this contract, the attacker managed to introduce malicious withdrawals into queues of thousands of users simultaneously. This attack vector allows the network to process extraction orders for stored funds without needing to individually access the private keys of the Safe wallets configured by each client.
Due to the shared nature of this architecture, the immediate protection of user assets does not rely on the standard cryptographic control of their self-custody accounts. Defense depends on the ability of the Gnosis team to intervene in the affected smart contracts, halt the routing infrastructure, or pause the centralized services linked to card payments. The announced corrective action is based on the corporate financial commitment to restore the affected balances using their own funds, rather than reverting on-chain transactions.
This incident occurs just days after an independent security event that compromised a related infrastructure. At the end of May 2026, a malicious actor exploited a flaw in a third-party routing contract, resulting in a 3.2 million dollar exploit. The extraction affected a total of 86 Safe accounts distributed across the Ethereum and Base networks. Subsequently, Safe Labs and the Squid developers published technical analyses detailing that the vulnerability resided outside their core code implementations, being limited to the specific routing module.
The general landscape of cyber incidents in the decentralized ecosystem during May 2026 reflects a decline in liquidity extraction. Records provided by the smart contract auditing firm CertiK on May 31, 2026, document that the total losses from breaches of security stood at 68.3 million dollars. This figure constitutes a drop of nearly 90% in the volume of compromised funds compared to the month of April, marking the third month of the current year with a financial impact below 100 million dollars.
As of press time, the developing entities have not published the technical list of affected addresses, the exact economic value drained from the contracts, or confirmation on whether the origin of the error lies in the base code of the Zodiac delay module or in its specific integration within Gnosis Pay. The total volume of the financial impact of this attack remains awaiting technical confirmation.
This article is for informational purposes and does not constitute financial advice.
