Gnosis Pay Hack: What Happened, How the Exploit Worked, and How to Protect Your Crypto

Gnosis Pay Hack: What Happened, How It Worked, and How to Protect Your Crypto

If you use a crypto debit card, the June 2026 Gnosis Pay hack should be on your radar. On or around June 1, 2026, Gnosis Pay detected an active exploit targeting the Delay Module, a smart-contract component designed to protect user funds. The attack resulted in the drainage of funds from dozens of Safes, with total losses estimated at approximately $265,000 in EURe and GNO. User trust took a hit, and the incident put a spotlight on the unique security risks that come with linking a debit card to an on-chain wallet.

This article breaks down the Gnosis Pay exploit mechanics, the Delay Module vulnerability at its core, Gnosis's response, and what crypto wallet best practices you should follow going forward. It also covers how MPC wallet security, the architecture Bleap uses for its self-custodial Mastercard, eliminates the exact type of single point of failure this hack exploited.

Your crypto spending card should protect your funds, not put them at risk. Bleap's self-custodial Mastercard uses MPC wallet security, not smart-contract delay modules, to keep you in control. 0% FX fees, up to 20% cashback, no monthly subscription. See how Bleap works →

1. The June 2026 Gnosis Pay Hack: What Happened?

Gnosis co-founder and CEO Martin Koppelmann confirmed the active exploit on X on June 1, 2026. The exploit stemmed from a vulnerability in the Delay Module, allowing attackers to initiate unauthorized transactions. On May 29, the attacker first deployed 41 specialized attack contracts, and the core exploitation occurred on June 1 at approximately 5:26 AM.

As part of containment efforts, Gnosis asked bridge validators to pause operations while investigators and forensic teams coordinated the response. Koppelmann initially urged users to withdraw affected funds in EURe and GNO, but later retracted the recommendation, acknowledging that most users would be unable to retrieve funds due to the exploit's nature. He assured users that Gnosis would fully cover any financial losses incurred.

Who Was Affected?

Gnosis Pay offers a Visa debit card directly linked to users' Gnosis Safe smart contract wallets, allowing spending of stablecoins like EURe without surrendering custody. The exploit affected card-linked Safe accounts but did not impact the broader Gnosis Safe infrastructure or Gnosis Chain itself. Active cardholders with EURe and GNO balances in their linked Safes were at risk. At scale, Gnosis Pay had processed more than $100 million in total volume, over 1.6 million transactions, and more than 50,000 accounts deployed.

2. How the Delay Module Exploit Worked

Technical Breakdown of the Delay Module Vulnerability

The Zodiac Delay Module is designed to impose a waiting period between transaction approval and execution, providing time to detect and block unauthorized activity. Under normal conditions, the delay module queues outgoing transactions for 3 minutes to ensure settlement accuracy and prevent immediate unauthorized withdrawals.

The attackers found a way around this safeguard. According to CertiK's report, the exploit centered on a signature-verification flaw within the GnosisPay Delay module. The attacker exploited how the module's moduleTxSignedBy() function parses r, s, and v values from the msg.data calldata. The attack contracts were engineered to always return the EIP-1271 magic value when called via isValidSignature(), effectively impersonating legitimate signers without providing valid cryptographic proof.

By manipulating the r value, the system was tricked into accepting the malicious transaction. Following a mandatory cooldown period enforced by the Delay module, the attacker executed the queued transactions around 5:57 AM, transferring EURe and GNO from victim Gnosis Safes directly to attacker-controlled wallets.

The key takeaway: Gnosis Safes were compromised not through direct key theft but via a subtle flaw in an integrated delay mechanism. This attack demonstrates how even established protocols can fall victim to advanced calldata manipulation and EIP-1271 signature validation bypasses.

3. Why Debit Card-Linked Crypto Wallets Carry Unique Security Risks

The Gnosis Pay incident illustrates a specific category of risk. The incident is sensitive because Gnosis Pay links self-custody Safe accounts to card spending. When a wallet is always connected to a payment card, it creates a persistent attack surface that standard cold-storage setups simply do not have.

Gnosis Pay accounts rely on 2 primary modules: the Delay Module and the Roles Module. While these features enhance functionality, they also introduce additional attack vectors. Spending permissions, delegated signing authority, and frequent low-value transactions can mask malicious activity. The Zodiac delay module was compromised in a way that let the attacker push transactions into users' queues across many wallets simultaneously.

This is why the security architecture behind your crypto spending card matters more than convenience features. A card that relies on smart-contract modules for access control carries fundamentally different risks than one using off-chain cryptographic signing, such as MPC.

4. Gnosis's Response and Prior Security Incidents

Pledge to Cover User Losses

Koppelmann confirmed the active exploit on June 1, stating: "Unfortunately, there is a hack related to Gnosis Pay and the 'delay module.' Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses."

On June 2, Gnosis Pay said the incident had been fully contained and that operations would begin resuming in phases. Every user would receive a new card-linked Safe connected to their existing card and identity profile, and affected users' new Safes would be funded with their original balance. By June 7, Gnosis Pay had restored normal card operations for more than 99% of users.

History of Vulnerabilities

This was not an isolated event. Less than a week earlier, on May 25, 2026, a separate exploit drained $3.2 million from 86 Safe wallets via a rogue third-party module called SquidRouterModule. The root cause was linked to flaws in Zodiac's Roles Modifier and Delay Modifier modules. These incidents demonstrate how even modules designed to enhance security can become liabilities if exploited.

Transparency matters. Users of any crypto spending card should demand published security audits, clear incident-response protocols, and honest communication when things go wrong.

5. Immediate Steps for Affected Users

This is not financial advice. If you were affected, consider these practical steps:

• Revoke spending permissions and disconnect any dApps connected to your old Gnosis Pay Safe immediately.
• Move remaining funds to a separate, uncompromised wallet. Deposits to old Gnosis Pay Safe addresses, whether on-chain or via IBAN, will be lost permanently.
• Enable all available alerts and 2FA on every associated account.
• Monitor official Gnosis Pay channels for reimbursement updates and migration instructions. Clear instructions are provided directly in the Gnosis Pay web app or the wallet used to access the card.
• Document losses with timestamps and transaction hashes for any claims process.

Looking for a crypto spending card with a different security model? Bleap's self-custodial Mastercard splits your private key across multiple parties using MPC. No single smart-contract module to exploit, no delay-module risk. 0% FX fees and up to 20% cashback. Get the Bleap card →

6. General Crypto Asset Security Best Practices

Regardless of which crypto spending card or wallet you use, these fundamentals apply:

• Use hardware wallets for long-term holdings. Hardware wallets remain the most secure option for individual crypto holders in 2026. Keep only spending amounts in hot wallets.
• Regularly audit connected apps and revoke unused permissions. Phishing remains the number 1 attack vector in crypto, with increasingly sophisticated tactics in 2026.
• Avoid reusing seed phrases or private keys across platforms.
• Keep software wallets and firmware updated. Security patches address known vulnerabilities.
• Protect crypto assets with multi-factor authentication everywhere it is offered. Layer your defenses.

When your spending card is part of the equation, pair these habits with a card that uses a strong underlying security model. Bleap, for example, offers fee-free crypto trading and a self-custodial Mastercard with 0% FX fees, but the real differentiator is the MPC architecture underneath.

7. Custodial vs. Non-Custodial Wallets: Understanding the Risk Difference

Custodial wallets delegate key management to third parties. While convenient, this introduces counterparty risk as you're trusting the custodian's security practices and solvency. If the custodian is hacked or goes insolvent, your funds are at risk.

Non-custodial wallets give you complete control over private keys. However, this places full security responsibility on you. You own your keys, but you also own the risk of smart-contract bugs, phishing, or poor operational security.

The Gnosis Pay exploit sits at a unique intersection. The incident highlights ongoing risks in custodial elements of crypto payment platforms, even those built on decentralized infrastructure. Gnosis Pay is non-custodial in design, but the shared Delay Module introduced a single point of failure that affected many users simultaneously. This is the gap that MPC wallet security is designed to fill.

8. MPC Wallets: A Stronger Security Model for Crypto Spending

What Is Multi-Party Computation (MPC) and Why It Matters?

An MPC wallet is built on Multi-Party Computation, a branch of cryptography. Instead of storing a single private key, the wallet creates multiple encrypted key shares. Each share is stored in different locations. When you approve a transaction, these shares collaborate to sign it, but the complete key never exists in one place. This approach removes the single point of failure inherent in traditional wallets.

In practical terms: if one shard is compromised, the attacker cannot sign a transaction because they lack the other distributed pieces.

How MPC-Based Wallets Reduce Exploit Risk

MPC splits a private key into multiple independent shares stored across different devices or locations. At no point is the private key ever fully reconstructed. This eliminates single points of failure and significantly improves security. Unlike the Delay Module approach, where a single smart-contract vulnerability could unlock access across many wallets, MPC requires compromising multiple independent systems simultaneously.

MPC operates off-chain: signing is a cryptographic computation performed between key share holders before anything is broadcast. It is chain agnostic, as the same MPC implementation secures wallets across every blockchain that uses ECDSA or EdDSA.

Bleap as a Safer Alternative

Bleap applies MPC technology directly to everyday crypto spending. Instead of relying on on-chain delay modules or permission layers that can be exploited, Bleap's self-custodial Mastercard uses MPC-secured signing to authorize transactions. Key shares are split across multiple parties, so no single compromised component can drain your funds.

This is a fundamentally different architecture from the Delay Module approach Gnosis Pay used. With Bleap, you get a self-custodial account with full control of your funds, 0% FX fees, up to 20% cashback on gaming, streaming, and everyday spending, and fee-free crypto trading, all without the smart-contract risk surface that made the Gnosis Pay hack possible. There is no monthly subscription.

9. What to Look for in a Secure Crypto Spending Product

Before you trust a crypto spending card with your money, check for these features:

• MPC or threshold-signature architecture. No single private key should be exposed at any point.
• Transparent security audits published by third-party firms. If a provider has not been audited, that is a red flag.
• Granular spending controls and real-time transaction alerts. You should know the moment any funds move.
• Clear incident-response and user-compensation policies. What happens when something goes wrong?
• Regulatory compliance. A card product operating within regulated frameworks adds an additional layer of accountability.

Bleap checks these boxes with MPC-secured self-custody, a Mastercard debit card you can use anywhere Mastercard is accepted, and no hidden charges. It is a debit card you can use on Steam, PlayStation, or Xbox, with up to 20% cashback.

Buy, hold, and spend crypto with MPC-level security, not delay-module risk. Bleap offers fee-free crypto trading, a self-custodial Mastercard with 0% FX fees, and up to 20% cashback. No monthly subscription, no smart-contract exploit surface. Open a Bleap account →

Frequently Asked Questions

What was the Gnosis Pay exploit and how did it drain funds?

The exploit centered on a signature-verification flaw within the GnosisPay Delay Module. The attacker exploited how the module's moduleTxSignedBy() function parses calldata, using specially crafted attack contracts to impersonate legitimate signers. After waiting through the mandatory cooldown period, the attacker executed queued transactions, transferring EURe and GNO from victim Safes to attacker-controlled wallets. Total losses were estimated at approximately $265,000.

Is Gnosis Pay safe to use after the hack?

Gnosis Pay has restored normal card operations for more than 99% of users, replacing all affected Safe accounts and linking them to users' existing cards. Gnosis pledged to make all affected users whole, covering any losses in full. A detailed post-mortem is expected in the coming weeks. Users should monitor official channels and evaluate whether the updated security measures align with their risk tolerance.

What is a Delay Module in a crypto wallet and why is it risky?

The Zodiac Delay Module is designed to impose a waiting period between transaction approval and execution, providing time to detect and block unauthorized activity. The risk is that this single on-chain component becomes a shared attack surface. Gnosis Safes were compromised not through direct key theft but via a subtle flaw in an integrated delay mechanism. If the module has a bug, every wallet using it can be affected simultaneously.

How does an MPC wallet differ from a standard non-custodial wallet?

A standard non-custodial wallet stores 1 complete private key (or seed phrase) on a single device. An MPC wallet splits your private key into multiple encrypted parts, making it safer than single-key wallets while keeping you in full control. If a hacker were to compromise 1 share, it would still be useless without the other. This is the model Bleap uses for its self-custodial Mastercard.

What is the safest way to use a crypto debit card?

Keep only spending amounts loaded on your card-linked wallet. Use hardware wallets for long-term storage. Choose a card with MPC or threshold-signature security rather than smart-contract-module-based access control. Enable real-time alerts and 2FA. Bleap's self-custodial Mastercard applies MPC wallet security with 0% FX fees, fee-free crypto trading, and up to 20% cashback, with no monthly subscription.

What are the main risks of debit card-linked wallets?

Debit card-linked wallets are always "hot," meaning they are connected to the internet and exposed to ongoing risk. Modules like the Delay Module and Roles Module enhance functionality but also introduce additional attack vectors. Delegated spending permissions create extra signing paths that attackers can target. The Gnosis Pay hack showed that even a feature designed for security can become a vulnerability when a smart-contract bug is present.

Conclusion

The June 2026 Gnosis Pay hack exposed a critical weakness in debit card-linked smart-contract wallets. The incident serves as a stark reminder of the complexities involved in securing modular smart contract systems. A single Delay Module vulnerability allowed attackers to drain funds from dozens of wallets simultaneously, despite the platform's non-custodial design.

The core lesson: architecture matters. MPC wallet security eliminates the single points of failure that delay-module exploits target, because no complete key ever exists in 1 place and no single on-chain module can be weaponized against all users at once.

When choosing a crypto spending card, prioritize the security model above all else. Bleap's self-custodial Mastercard uses MPC-secured signing, charges 0% FX fees, offers up to 20% cashback, and requires no monthly subscription. Buy crypto with no trading fees, spend it anywhere Mastercard is accepted, and keep full control of your funds the entire time.

Open a Bleap account →