Blockchain security firm CertiK recently share an extensive examination and analysis of the June 2026 exploit targeting Gnosis Pay users on the Gnosis Chain. The incident, which occurred on June 1, resulted in the unauthorized drainage of funds from multiple Safe wallets, highlighting sophisticated vulnerabilities in modular smart contract design.
According to insights from CertiK, the attack exploited a critical flaw in the Gnosis Pay Delay module, a component designed to introduce a cooldown period for transactions, giving users time to review and potentially cancel outgoing transfers.
On the day of the exploit, an adversary successfully compromised dozens of these Safes, executing transfers of EURe (a euro-backed stablecoin) and GNO tokens. Total estimated losses reached approximately $265,000.
The core issue stemmed from how the Delay module handled signature verification through its moduleTxSignedBy() function.
This mechanism parsed recovery values (r, s, v) directly from the attacker-supplied transaction data without adequate safeguards against manipulated inputs.
Preparations began days earlier on May 29, when the attacker deployed 41 specialized contracts.
These contracts were engineered to always return the standard EIP-1271 magic value (0x1626ba7e) when called for signature validation, effectively impersonating legitimate authorization.
On June 1, the perpetrator initiated queued transactions via the execTransactionFromModule() entry point. The crafted calldata contained nested signature structures.
The verification process first routed through an intermediary Biconomy Safe before reaching one of the attacker’s malicious contracts.
Because the final contract always approved the signature, the module accepted the transactions as valid despite their malicious intent.
After queuing the transfers, the attacker patiently waited for the Delay module’s cooldown period to expire.
Once elapsed, execution transactions drained assets from victim Safes directly to attacker-controlled addresses. The targeted data payloads specifically moved EURe and GNO tokens.
CertiK identified the vulnerability in the interplay between transaction parsing and signature checking within the module.
The function incorrectly treated portions of the raw calldata—intended for queuing—as valid signature components for verification.
This allowed the attacker to layer signatures: the first directing to a Biconomy Safe and the second to a controlled contract that bypassed real cryptographic checks.
This design permitted the static call to “succeed” in appearance while actually relying on a revert-tolerant mechanism that still accepted the magic return value.
Such nested manipulation exposed how complex modular architectures, while flexible, can introduce subtle validation gaps if not rigorously tested against adversarial calldata crafting.
Following the drainage, the primary exploiter address bridged roughly $246,000 in USDT equivalents from Ethereum to the Hyperliquid network. Funds were subsequently funneled through another wallet, with portions converted into Monero (XMR) for added privacy.
As of the latest tracking, remaining holdings included significant USDC, ETH, and XMR balances distributed across multiple addresses.
The Gnosis Pay incident underscores ongoing challenges in securing layered smart contract systems, particularly those involving signature verification and delayed execution.
Projects using Zodiac modules or similar extensible frameworks should prioritize comprehensive fuzz testing of calldata parsing and multi-layer verification paths.
Gnosis reportedly committed to reimbursing affected users in full, demonstrating accountability.
Nevertheless, the recent incident now serves as a rather concerning reminder that even established protocols must continuously audit integration points between core wallets and specialized modules. Blockchain security firm CertiK has now concluded that decentralized finance evolves in 2026, proper signature validation and strict input sanitization certainly remain essential defenses against increasingly creative attack vectors.