Gnosis Pay, the self-custodial Visa debit card built on Gnosis Chain, was hit by an active exploit this week. The attack targeted the platform's 'delay module' — the mechanism that controls card accounts. Co-founder Martin Köppelmann posted on X that the company would cover user losses or refund anyone affected.
What the Exploit Hit
Gnosis Pay lets users spend stablecoins directly from their own Safe wallets. The delay module acts as a kind of circuit breaker, introducing a time lag between a transaction request and its execution. Attackers found a way to bypass that protection, draining funds from accounts linked to the module. Köppelmann did not disclose how many users were affected or the total amount stolen, but he acknowledged the exploit was active and ongoing when he first warned the community.
Confusing Guidance for Users
Köppelmann initially urged users to withdraw their funds from Gnosis Pay as a safety measure. Hours later, he walked back that advice, telling users it was no longer necessary — though he didn't explain why the situation had changed. The reversal left many cardholders uncertain about whether their money was safe. The company has not clarified whether the exploit has been fully contained or if the delay module has been patched.
The Company's Response
Gnosis Pay's pledge to cover all losses sets it apart from many crypto hacks where users are left holding empty bags. But the promise also raises questions: How will the company fund the reimbursements? And why did the delay module — a core security feature — fail in the first place? Köppelmann has not provided those details, nor has he shared a timeline for a post-mortem.
What Happens Next
Investigators are still working to understand how the exploit was carried out. Gnosis Pay has not announced when the service will fully resume normal operations. For now, users are left waiting for a clearer explanation of what went wrong and what steps will prevent a repeat. The delay module's role in the attack suggests it may need a fundamental redesign — but the company has not confirmed that.
