Gnosis Pay Delay Module Exploit — June 2026

Gnosis Pay disclosed an active exploit on June 1, 2026, in what reporting described as its delay module, with the issue affecting the product’s card wallet infrastructure on Ethereum. The public record, as reflected in contemporaneous reporting, shows a fast-moving incident response rather than a settled postmortem: the exploit was described as active, the team said it was working to contain the damage, and no definitive loss figure or user count was disclosed in the source material. That absence matters. In incident analysis, a confirmed exploit, a known attack surface, and a reimbursement commitment can all be established without a complete accounting of financial impact. Here, the available facts support that narrower conclusion. The event is best understood as a smart-contract-related compromise within Gnosis Pay’s operational stack, with public communications focused first on immediate user action and then on clarifying what action was actually possible.

The most visible feature of the episode was the sequence of public statements from Gnosis co-founder Martin Köppelmann. According to the reporting, he initially urged users to withdraw funds, and that warning was amplified by PeckShield, a blockchain security firm that advised users to check exposure and move assets. Later the same day, Köppelmann retracted the advice and deleted the initial message, stating that most users would not be able to withdraw their funds. That reversal is significant because it illustrates the tension common to live exploit situations: early warnings are often issued under incomplete information, but they can quickly become misleading if the affected system’s actual controls, withdrawal paths, or user permissions do not match initial assumptions. The data available here does not suggest bad faith; it suggests a rapidly evolving understanding of the incident. Still, the communication sequence exposed an operational weakness in crisis handling. A withdrawal warning that cannot be broadly acted upon can create confusion, especially when the affected product sits at the intersection of smart contract custody logic and consumer-facing payment infrastructure.

After retracting the initial advice, Köppelmann said the team was actively working to contain the damage and would make users whole. A Gnosis spokesperson later confirmed that the company had become aware of an exploit affecting Gnosis Pay card wallet infrastructure and stated that all affected users will be reimbursed in full. Those statements are central to the record because they define the company’s position on remediation even in the absence of disclosed on-chain totals or a published breakdown of affected accounts. The language used publicly is also narrower than a claim of complete technical resolution. The team said it had contained or was containing the issue and committed to reimbursement; the source does not establish a finalized forensic report, a complete root-cause writeup, or a full accounting of asset flows. For that reason, the incident should not be characterized as fully resolved in a technical sense on the basis of the brief alone. What can be said is that Gnosis publicly accepted responsibility for user losses tied to the exploit and framed reimbursement as a firm outcome.

The incident also highlights two structural lessons identified in the brief: single point of control and absence of withdrawal monitoring. In practical terms, a delay module is meant to mediate or time-gate certain actions, which makes it part of the control layer rather than a peripheral feature. When a control layer becomes the point of failure, the protective mechanism can itself become the attack surface. That is the broader significance of a smart contract bug in this context. The issue was not described as a market event or a user-side compromise; it was presented as a failure within the infrastructure governing wallet behavior. The second lesson, the absence of withdrawal monitoring, is reflected indirectly in the communication timeline. The initial call to withdraw, followed by a retraction that most users could not do so, suggests that visibility into actionable user exits and system state may not have been clear at the moment of disclosure. Even without additional technical detail, the record supports a cautious conclusion: this was an infrastructure exploit in a payment-linked wallet environment where the control architecture and the incident-response messaging became intertwined. Gnosis’s reimbursement pledge may limit the eventual user harm, but the event remains notable because it exposed how quickly a contract-level flaw in a wallet module can propagate into operational confusion across a consumer-facing product.