Gnosis Pay Post-Mortem: ERC-1271 Validation Flaw Led to $1.5 Million Exploit

Gnosis Pay Post-Mortem: ERC-1271 Validation Flaw Led to $1.5 Million Exploit

N
News Editor
2026-07-03 13:42:26
Gnosis Pay has released a post-mortem on its June 1 security incident, identifying the root cause as a flaw in ERC-1271 signature validation within the Zodiac module. According to the report, the system only checked the contract’s return value and failed to verify whether the call had actually executed successfully. An attacker exploited this by deploying a contract designed to fail while still returning a value interpreted as “valid,” enabling forged authorization and unauthorized withdrawals from accounts they did not own. The vulnerability was introduced in Zodiac code version 3.4.0 in October 2023 and was patched on June 5. Gnosis Pay said the attacker extracted around $1.5 million across 5,281 wallets, including roughly $641,000 in GNO, $453,000 in EURe, and $399,000 in USDC.e. Another approximately $300,000 remains locked in inaccessible accounts, with recovery options still under review. The team said it will expand its security team, bring in external audits, widen smart contract audit coverage, and has already completed a full product rebuild under v2 to improve security and incident response capabilities.
Gnosis PaySecurity IncidentERC-1271ZodiacSmart Contract VulnerabilityOn-chain SecurityExploit

Root cause of the exploit

Gnosis Pay’s post-mortem on the June 1 security incident attributes the exploit to a flaw in the Zodiac module related to ERC-1271 signature validation. The core issue was that the system relied on the return value from a contract call but did not verify whether the underlying call had actually executed successfully. In practice, this created a gap between a reported “valid” result and a truly successful authorization flow.

The attacker exploited that gap by deploying a malicious contract intentionally designed to fail while still returning a marker interpreted by the system as a valid signature response. That allowed forged authorization to pass validation checks, enabling the attacker to withdraw funds from accounts that did not belong to them. In other words, the exploit did not depend on compromising user keys directly; it depended on abusing flawed signature verification logic inside the contract flow.

When the vulnerability was introduced and when it was fixed

According to the report, the vulnerability was introduced in October 2023 as part of Zodiac code version 3.4.0. That timeline is significant because it shows the flaw had been present in production code for an extended period before the June 1 incident came to light. Gnosis Pay said the issue was fully patched on June 5.

The disclosure frames the event as a logic-level validation failure rather than an isolated operational mishap. By identifying the exact code branch and version in which the defect entered the system, the report provides a clearer audit trail for understanding the exploit path and for narrowing future code review priorities.

Scale of losses and affected wallets

Gnosis Pay said the attacker withdrew about $1.5 million in total, affecting 5,281 wallets. The reported asset breakdown was approximately $641,000 in GNO, $453,000 in EURe, and $399,000 in USDC.e. These figures show that the exploit impacted multiple assets rather than a single token balance.

The company also disclosed that around $300,000 remains locked in inaccessible accounts. The team said it is exploring possible recovery paths for those funds. Based on the post-mortem, the locked amount is separate from the funds already extracted by the attacker and remains an unresolved part of the incident response process.

Response measures and security upgrades

Beyond patching the vulnerability, Gnosis Pay said it will expand its internal security team, engage external auditors, and broaden the scope of its smart contract audit process. These measures indicate that the company is treating the incident as a broader security governance issue rather than only a one-off code defect.

The company also stated that it has completed a full rebuild of the product under v2, aimed at improving both the security architecture and incident response capacity. Taken together, the remediation plan includes immediate patching, wider third-party review, internal team expansion, and product-level redesign.

The original disclosure was published by Gnosis in its official blog post-mortem. Source: https://www.gnosis.io/blog/post-mortem-gnosis-pay-vulnerability-exploit

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
700

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.