Gnosis co-founder Martin Koppelmann publicly committed on June 1, 2026, to fully reimburse users affected by a security exploit tied to infrastructure underlying Gnosis Pay. Gnosis Safe, the multi-signature smart contract wallet system on which Gnosis Pay is built, was targeted through a vulnerable third-party module; Gnosis Pay's card system itself was not compromised. The pledge came roughly one week after attackers drained approximately $3.07 million to $3.2 million from 86 Gnosis Safe wallets in a two-hour window on May 25. Containment efforts were still ongoing at the time Koppelmann made the statement.

"Gnosis will cover all user losses," Koppelmann said, as reported by The Block.

What Happened

The attack exploited a vulnerability in the SquidRouterModule, a third-party integration used with Gnosis Safe wallets. Gnosis Safe is a multi-signature smart contract wallet; the "module" system allows third-party developers to add extra transaction capabilities on top of it. The compromised module accepted a fixed, publicly known string as proof of authorization rather than performing genuine on-chain identity checks. Blockchain security firm Blockaid described the flaw as the module having "accepted a fixed string provided by the caller for message security," effectively eliminating any real authentication.

OpenZeppelin had previously documented this exact vulnerability class, specifically weakly configured Gnosis Safe modules executing wallet transactions without owner approval, making this a known risk category rather than an unforeseeable zero-day event.

Attackers used Foundry-based exploit contracts (a common smart contract development toolkit) to execute unauthorized transactions by impersonating approved delegates. Only wallets that had previously enabled the vulnerable module were at risk. Gnosis Safe's core infrastructure was not compromised. The attacker seeded the operation with 2.1 ETH routed through Tornado Cash, a privacy protocol commonly used to obscure fund origins, and converted stolen assets including USDC, ENA, and USDT into approximately $3.07 million in DAI by routing them through attacker-controlled Uniswap V3 liquidity pools.

Squid Protocol, the legitimate cross-chain bridge service, moved quickly to distance itself from the incident. "This incident is unrelated to Squid's core protocol and contracts. All Squid users and integrators are unaffected and no action is needed," the team said on X. The malicious module shared the Squid name but was not developed, deployed, or operated by the Squid team.

Market Context

GNO, the native token of the Gnosis ecosystem, was trading near $114.74 in late May 2026, with a market cap of approximately $302.9 million. The GnosisDAO treasury reportedly holds roughly $223 million, giving the project the financial capacity to follow through on the reimbursement pledge. A recently proposed governance measure, GIP-140, would allow token holders to redeem GNO at approximately $170 per token. Because that redemption price sits above the prevailing market price, it implies the DAO holds sufficient reserves to buy back tokens at a premium, a signal of underlying treasury strength.

This is not Gnosis's first high-profile security event. In December 2025, Gnosis Chain executed a hard fork to recover $9.4 million frozen during a Balancer exploit, demonstrating the team's willingness to take direct on-chain action to protect users. In 2024, Gnosis Pay was among several crypto projects affected by a data breach at KYC provider Fractal ID.

Regional Implications

Gnosis Pay is a self-custodial Visa debit card that lets users spend stablecoins directly from their on-chain wallet, with no third-party holding their funds. It currently operates in 32-plus European countries plus Argentina and Brazil, and is accepted at over 80 million Visa merchants globally. The service is not yet available in Sub-Saharan Africa or South Asia.

That gap makes these developments more than a distant headline for users in those regions. Just 12 days before Koppelmann's reimbursement statement, Gnosis co-led a $4.4 million seed round for Sorted Wallet alongside Tether. Sorted targets users in Nigeria, Kenya, Tanzania, and Bangladesh, running on feature phones with under 10MB of storage and focusing on non-custodial stablecoin payments and remittances. Tether CEO Paolo Ardoino captured the stakes of that investment plainly: "Financial inclusion requires reaching hundreds of millions of people who cannot afford smartphones or data plans." An exploit that raises questions about Gnosis-backed infrastructure could slow adoption momentum in exactly the markets Sorted is trying to reach.

Gnosis also operates a white-label Visa card platform that allows neobanks and payment processors to launch stablecoin card programs using Gnosis infrastructure. No cases of emerging-market white-label operators being affected have been confirmed, but the architecture raises a concern worth monitoring: if any operator in an emerging market had already integrated that stack, their users could have been exposed regardless of Gnosis Pay's direct geographic availability.

For developers building payment tooling on Gnosis Safe in Lagos, Nairobi, or Dhaka, the incident is a direct call to action. The vulnerability, trusting module-level identity validation without verifying actual on-chain signatures, is a pattern that can appear in fast-moving DeFi integration work. Any project using third-party Safe modules should audit all module approvals immediately. As one analysis published by NullTX framed it: "Security is only as strong as the weakest link in a composable ecosystem."

---

Developer Advisory: Audit Your Safe Module Approvals Now

If your project uses Gnosis Safe with any third-party modules, take the following steps immediately. First, enumerate every module currently enabled on each Safe you operate or maintain. Second, verify that each module performs genuine on-chain signature verification rather than accepting a caller-supplied string as proof of identity. Third, revoke authorization for any module whose logic cannot be confirmed as sound. The SquidRouterModule incident illustrates a broader principle: composable architectures inherit the security posture of every integration in the stack, not just the core protocol. A module that bypasses owner approval is functionally equivalent to removing multi-sig protection entirely.

---

What Comes Next

In an industry where founders often stay quiet until an incident is fully resolved, Koppelmann's decision to commit publicly to full reimbursement while containment was still active sets an unusual precedent. The move establishes a reputational benchmark that will be tested against the final tally of affected users and amounts. With GnosisDAO's treasury depth and the Sorted partnership still fresh, the team faces pressure to demonstrate that its expansion into high-dependency remittance markets is matched by security execution that users in those markets can trust.