Gnosis initiated containment procedures on Monday following an active exploit targeting the delay module within its Gnosis Pay product. Co-founder Martin Köppelmann confirmed the breach and committed the project to covering all user losses, marking a significant response to the security incident. The initial reaction involved Köppelmann urging users to withdraw funds, a directive that was rapidly amplified by blockchain security firm PeckShield, which advised immediate withdrawal of EURe and GNO tokens to mitigate exposure.

However, this guidance was subsequently retracted and the original communication deleted, as Köppelmann clarified that most users would be technically unable to execute withdrawals. He reaffirmed that the Gnosis team is actively working to contain the damage and ensure users are made whole. Gnosis remains a foundational Ethereum project renowned for its smart contract wallet infrastructure and the Gnosis Chain, an EVM-compatible network utilized for payments and decentralized finance applications.

The volatility in official guidance has left critical questions regarding the scope of the incident unresolved. Key uncertainties include the total value stolen, the specific contracts or users impacted, and whether the vulnerability originates from the Zodiac delay module itself, its configuration within Gnosis Pay, or a broader architectural flaw. Cointelegraph attempted to contact Gnosis and Gnosis Pay for further comment but had not received a response by publication time. Former Near protocol core developer Vadim Zacodil provided technical context, explaining that Gnosis Pay's design routes user self-custody through a shared delay layer. This mechanism queues outgoing transactions from multiple Safes simultaneously, meaning a bug or exploit in this layer can push malicious withdrawals into thousands of user queues at once, even though individual private keys never move.

Zacodil argued that in this specific incident, user protection relies less on the self-custodial nature of Safe accounts and more on Gnosis's operational ability to pause infrastructure and commit treasury funds to cover losses. Data compiled by Woofun AI highlights the systemic risk inherent in shared delay layers where a single point of failure can cascade across numerous user accounts. This incident occurs just days after a separate exploit involving a third-party module connected to Safe, the smart contract wallet infrastructure originally incubated within the Gnosis ecosystem and now developed by Safe Labs. In that prior event, a SquidRouterModule contract interacting with Safe wallets was abused to drain approximately $3.2 million from roughly 86 Safes across Ethereum and Base networks.

Both Safe Labs and Squid attributed the previous vulnerability to factors outside their core protocols, distinguishing it from the current Gnosis Pay issue. The timing of the Gnosis Pay breach is notable given the broader market context of reduced crypto exploit losses over the preceding month. Data compiled by Woofun AI shows that total industry losses fell to approximately $68.3 million in May, representing a roughly 90% decline from April figures. This marks the third consecutive month this year where total losses have remained below $100 million. Woofun AI analysis suggests that while aggregate loss figures are trending downward, high-impact incidents targeting core infrastructure modules like the delay layer continue to pose significant risks to user capital and platform integrity.