Gnosis Pay Exploited via Delay Module; Company Pledges Full Reimbursement

Gnosis Pay, the payment card service operated by the Gnosis protocol team, has been hit by an active exploit targeting its delay module smart contract. Co-founder Martin Köppelmann announced Monday that the company will reimburse all affected users in full, walking back an earlier warning that had urged cardholders to withdraw funds immediately.

The delay module, a smart contract governing Gnosis Pay card account logic, contained a vulnerability that attackers actively exploited. Gnosis has not disclosed the specific mechanics of the flaw or the total value of funds lost, complicating assessment of the exploit's severity and raising transparency questions during incident response.

Köppelmann's initial guidance to withdraw funds suggested the team was still assessing the breach's scope when it became public. His subsequent reversal in favor of a full reimbursement pledge signals increased confidence about covering losses. However, the sequence of communications may erode user trust, even if Gnosis honors its commitment to make users whole.

The company will cover losses from its reserves, a move that distinguishes this incident from exploits where users bore permanent losses. Whether Gnosis can sustain that commitment depends on the true scale of the breach, which remains undisclosed.

Gnosis Pay operates as a non-custodial payment card that lets users spend crypto assets directly. The delay module is a core component of its account security architecture, designed to add a time lag between transaction initiation and settlement. The vulnerability undermines one of the service's key security mechanisms.

This exploit follows a pattern of security incidents affecting Gnosis and its ecosystem. The company has faced multiple smart contract vulnerabilities over recent years, though most have been addressed without major user losses. As Web3 payment infrastructure handles larger transaction volumes and stores more user funds, the attack surface expands.

The incident highlights the risk of relying on complex smart contract logic for financial applications. Even well-audited code can contain subtle flaws that attackers discover and exploit before developers patch them. The delay module likely underwent security review, yet the vulnerability persisted until exploitation.

For Gnosis Pay users, the reimbursement pledge provides protection, though undisclosed loss amounts leave uncertainty. The incident may prompt some cardholders to migrate to competing payment solutions or reduce exposure to Gnosis Pay, regardless of the reimbursement commitment. Competitors offering payment card services will likely cite their own security protocols as a differentiator.

Gnosis has not announced whether it will conduct a full audit of the delay module or implement additional safeguards before resuming normal operations. The company's next steps in incident response and communication will be closely watched by the Web3 payments community and users deciding whether to continue using the service.