Root cause of the exploit
Gnosis Pay’s post-mortem on the June 1 security incident attributes the exploit to a flaw in the Zodiac module related to ERC-1271 signature validation. The core issue was that the system relied on the return value from a contract call but did not verify whether the underlying call had actually executed successfully. In practice, this created a gap between a reported “valid” result and a truly successful authorization flow.
The attacker exploited that gap by deploying a malicious contract intentionally designed to fail while still returning a marker interpreted by the system as a valid signature response. That allowed forged authorization to pass validation checks, enabling the attacker to withdraw funds from accounts that did not belong to them. In other words, the exploit did not depend on compromising user keys directly; it depended on abusing flawed signature verification logic inside the contract flow.
When the vulnerability was introduced and when it was fixed
According to the report, the vulnerability was introduced in October 2023 as part of Zodiac code version 3.4.0. That timeline is significant because it shows the flaw had been present in production code for an extended period before the June 1 incident came to light. Gnosis Pay said the issue was fully patched on June 5.
The disclosure frames the event as a logic-level validation failure rather than an isolated operational mishap. By identifying the exact code branch and version in which the defect entered the system, the report provides a clearer audit trail for understanding the exploit path and for narrowing future code review priorities.
Scale of losses and affected wallets
Gnosis Pay said the attacker withdrew about $1.5 million in total, affecting 5,281 wallets. The reported asset breakdown was approximately $641,000 in GNO, $453,000 in EURe, and $399,000 in USDC.e. These figures show that the exploit impacted multiple assets rather than a single token balance.
The company also disclosed that around $300,000 remains locked in inaccessible accounts. The team said it is exploring possible recovery paths for those funds. Based on the post-mortem, the locked amount is separate from the funds already extracted by the attacker and remains an unresolved part of the incident response process.
Response measures and security upgrades
Beyond patching the vulnerability, Gnosis Pay said it will expand its internal security team, engage external auditors, and broaden the scope of its smart contract audit process. These measures indicate that the company is treating the incident as a broader security governance issue rather than only a one-off code defect.
The company also stated that it has completed a full rebuild of the product under v2, aimed at improving both the security architecture and incident response capacity. Taken together, the remediation plan includes immediate patching, wider third-party review, internal team expansion, and product-level redesign.
The original disclosure was published by Gnosis in its official blog post-mortem. Source: https://www.gnosis.io/blog/post-mortem-gnosis-pay-vulnerability-exploit

