Signature verification flaw in Zodiac Delay module allowed 41 malicious transactions draining $265K
On June 1, 2026, an attacker drained dozens of GnosisPay Safes on Gnosis Chain. The attack vector was a signature-verification flaw in the GnosisPay Delay module. The module checks transactions via moduleTxSignedBy() which parses r,s,v values from attacker-controlled msg.data. By crafting nested signature data, the attacker caused verification to traverse first through a Biconomy Safe and then to an attacker-controlled contract that always returned the EIP-1271 magic value. The attacker queued 41 transactions, waited out the module's cooldown, then executed them. Each transferred EURe and GNO to attacker wallets leading to the loss of ~$265K.
Exploit wallet 0x81BA... bridged ~$246K USDT from Ethereum to Hyperliquid network. Funds were then sent to wallet 0xb183... where part of the funds were swapped for XMR. As of reporting, exploiter wallet held: 147,494 USDC, 1.5 ETH, 28 XMR. Additional XMR was split into four wallets: 0xcce2... (27.33 XMR), 0x3eb1... (55.06 XMR), 0x0dda... (69.30 XMR), 0x31c2... (83.31 XMR).