GnosisPay Incident Analysis

On 01 June 2026 an attacker exploited a signature-verification flaw in the GnosisPay Delay module to queue and later execute 41 transactions that transferred EURe and GNO from multiple GnosisPay Safes to attacker-controlled wallets (~$265K loss). The attacker used crafted nested r,s,v signature calldata so verification reached an attacker contract that returned the EIP-1271 magic value; funds were bridged and partially swapped for XMR and distributed across wallets.