Gnosis Pay, a crypto payment platform, is dealing with an exploit linked to its delay module. The vulnerability allowed attackers to bypass a built-in time lock, siphoning funds from users. Co-founder Martin Köppelmann has promised to make affected users whole as the team races to contain further damage.
How the exploit worked
The delay module is supposed to hold transactions for a set period, giving users a chance to cancel suspicious activity. But attackers found a way to circumvent that hold, draining wallets before the delay expired. The company didn't disclose the exact number of victims or the total amount stolen, but Köppelmann called the situation “serious” in an internal message.
Gnosis Pay’s infrastructure relies on smart contracts that enforce transaction delays. This design gives users a window to reverse a transfer if they spot something wrong. The exploit neutralized that window entirely, making it impossible to stop the theft in real time.
Köppelmann’s pledge
Martin Köppelmann said the company would reimburse every user who lost money through the exploit. “We’re going to make this right,” he wrote, according to messages shared by the company. He didn’t give a timeline for payouts but stressed that the reimbursement comes from Gnosis Pay’s own funds, not user deposits.
The commitment is notable in a space where victims often have to wait months or never get their money back. Köppelmann said the priority is helping affected users first, then investigating how the exploit happened.
Containment efforts
Gnosis Pay’s team moved quickly after discovering the breach. They paused the delay module and locked down related contracts. The company said no additional funds have been drained since the initial exploit. Security researchers are auditing the code to close the loophole.
Users who still have funds on the platform are advised to withdraw them manually while the module remains offline. The team said it will announce a fix once testing is complete, but hasn’t set a date for restoring the delay feature.
The exploit comes just months after Gnosis Pay launched its beta, aiming to bridge traditional payment cards with crypto wallets. The platform had marketed the delay module as a safety net. Now that safety net has become an entry point for attackers.
Köppelmann said the company will share a full post-mortem after the immediate crisis is over. Questions remain about how the oversight got past internal reviews and whether the reimbursement will cover all indirect losses, like missed transactions or fees.
