USDT live
Supply 112.4B +0.8%
Tron share 53.2%
ETH share 38.4%
TRC20 gas $0.95 -2.1%
ERC20 gas $4.20
24h volume $48.2B
English · 中文

Gnosis Pay Hacked, Issuer Pledges Full Reimbursement — But This Isn't the Only Card You Should Be Worried About

2026-06-02

A Gnosis co-founder has confirmed that Gnosis Pay suffered an exploit and publicly pledged to cover 100% of user losses. According to CriptoNoticias, as of publication Gnosis has disclosed neither the amount stolen nor the reimbursement mechanism and timeline. Gnosis Pay is a self-custodial Visa debit card built on Gnosis Chain, marketed around the idea that “card balances are held by users in their own on-chain wallet” — a design choice that sits at the heart of this incident.

Editorial Take: The “Smart Contract Layer” Risk of On-Chain Cards Is Now on the Record

The bottom line up front: what got hit here wasn’t a centralized custodial card — it was a product that built its entire security pitch around smart contracts and on-chain accounts. For USDT card users, the lesson this event carries matters far more than “yet another card got hacked.”

Gnosis Pay’s core narrative is “your money sits in your own Safe wallet; the issuer can’t touch it.” In theory that’s more secure than a custodial setup — but the trade-off is that the attack surface shifts from “the issuer’s servers” to “the smart contract plus your wallet approvals.” Once an exploit hits the contract or the approval logic, the self-custody advantage flips into a liability instantly.

Which users should pay attention right now?

7 / 30 / 90-day outlook: within 7 days, watch whether Gnosis discloses the amount stolen and reimbursement details; within 30 days is the key window for reimbursement to actually land (the gap between “promised” and “paid” is historically underestimated); within 90 days, watch whether Gnosis Pay publishes a post-mortem audit report.

Historical Comparison: A Pledge to Reimburse Is Not the Same as Reimbursement Delivered

Placing this incident alongside two older cases makes the picture clearer.

In March 2023, USDC briefly depegged to around 0.87 due to Silicon Valley Bank exposure. Circle quickly pledged “full redemption” at the time, and delivered on it once the banking turmoil subsided — that was a promise backed by transparent reserves and a clear mechanism. Gnosis’s current pledge, by contrast, lacks disclosure of both amount and mechanism, and that’s the critical difference: when a company says “we’ll cover all losses” without saying how much, using what funds, or by when, the credibility of that promise can only be verified by execution.

Another point of comparison is the “governance treasury reimbursement” cases seen after several 2024 DeFi protocol exploits — a considerable share of which ended up only partially reimbursed, or paid out in native tokens rather than the original asset. The similarity: both are on-chain products with public reimbursement pledges. The difference: Gnosis Pay is directly tied to real-world payments via the Visa network, and its user base includes a large share of non-DeFi-native users who treat it as a daily spending card — their tolerance for “on-chain risk” is far lower than that of DeFi natives.

Regulatory and Compliance Perspective: EU Boundaries Are Tightening

Gnosis Pay primarily targets the European market and operates under the MiCAR and EMI (Electronic Money Institution) regulatory frameworks. This kind of incident lands right at the most sensitive regulatory fault line: a hybrid of self-custodied funds and a regulated payment network currently sits in a gray area where EU rules are not yet fully settled. The card itself (Visa) is bound by EMI licensing obligations, but responsibility for the security of the underlying on-chain account is not clearly assigned under the current framework.

Readers who want to understand the EU-side compliance boundaries can refer to our EU Compliance Guide. In short: under MiCAR, issuers carry clear obligations on the payment side, but for scenarios where “a user’s self-custodied on-chain funds are attacked,” reimbursement responsibility today depends far more on the issuer’s voluntary pledge than on any statutory requirement — which is exactly why Gnosis’s “pledge” matters so much, and why it needs to be watched closely.

Key Milestones Worth Watching Next

Editorial Recommendations

In one line: on-chain cards have written “security” into their sales pitch, but security is a process that has to be proven continuously — not a slogan. Pledging reimbursement is a good start; delivering it is the actual answer.