A Gnosis co-founder has confirmed that Gnosis Pay suffered an exploit and publicly pledged to cover 100% of user losses. According to CriptoNoticias, as of publication Gnosis has disclosed neither the amount stolen nor the reimbursement mechanism and timeline. Gnosis Pay is a self-custodial Visa debit card built on Gnosis Chain, marketed around the idea that “card balances are held by users in their own on-chain wallet” — a design choice that sits at the heart of this incident.
Editorial Take: The “Smart Contract Layer” Risk of On-Chain Cards Is Now on the Record
The bottom line up front: what got hit here wasn’t a centralized custodial card — it was a product that built its entire security pitch around smart contracts and on-chain accounts. For USDT card users, the lesson this event carries matters far more than “yet another card got hacked.”
Gnosis Pay’s core narrative is “your money sits in your own Safe wallet; the issuer can’t touch it.” In theory that’s more secure than a custodial setup — but the trade-off is that the attack surface shifts from “the issuer’s servers” to “the smart contract plus your wallet approvals.” Once an exploit hits the contract or the approval logic, the self-custody advantage flips into a liability instantly.
Which users should pay attention right now?
- Anyone holding a self-custodial or on-chain signature-based card: this includes products like OneKey Card and Ledger Crypto Life, where funds are sourced from a hardware wallet or an on-chain account. This incident doesn’t directly affect them, but the same class of architectural risk is worth reviewing — check your contract approval records.
- Custodial USDT card users: for products like Bybit Card and MPCard, where funds are held in custody by the issuer/exchange, this incident has no direct technical impact — you hold no Gnosis-related approvals.
7 / 30 / 90-day outlook: within 7 days, watch whether Gnosis discloses the amount stolen and reimbursement details; within 30 days is the key window for reimbursement to actually land (the gap between “promised” and “paid” is historically underestimated); within 90 days, watch whether Gnosis Pay publishes a post-mortem audit report.
Historical Comparison: A Pledge to Reimburse Is Not the Same as Reimbursement Delivered
Placing this incident alongside two older cases makes the picture clearer.
In March 2023, USDC briefly depegged to around 0.87 due to Silicon Valley Bank exposure. Circle quickly pledged “full redemption” at the time, and delivered on it once the banking turmoil subsided — that was a promise backed by transparent reserves and a clear mechanism. Gnosis’s current pledge, by contrast, lacks disclosure of both amount and mechanism, and that’s the critical difference: when a company says “we’ll cover all losses” without saying how much, using what funds, or by when, the credibility of that promise can only be verified by execution.
Another point of comparison is the “governance treasury reimbursement” cases seen after several 2024 DeFi protocol exploits — a considerable share of which ended up only partially reimbursed, or paid out in native tokens rather than the original asset. The similarity: both are on-chain products with public reimbursement pledges. The difference: Gnosis Pay is directly tied to real-world payments via the Visa network, and its user base includes a large share of non-DeFi-native users who treat it as a daily spending card — their tolerance for “on-chain risk” is far lower than that of DeFi natives.
Regulatory and Compliance Perspective: EU Boundaries Are Tightening
Gnosis Pay primarily targets the European market and operates under the MiCAR and EMI (Electronic Money Institution) regulatory frameworks. This kind of incident lands right at the most sensitive regulatory fault line: a hybrid of self-custodied funds and a regulated payment network currently sits in a gray area where EU rules are not yet fully settled. The card itself (Visa) is bound by EMI licensing obligations, but responsibility for the security of the underlying on-chain account is not clearly assigned under the current framework.
Readers who want to understand the EU-side compliance boundaries can refer to our EU Compliance Guide. In short: under MiCAR, issuers carry clear obligations on the payment side, but for scenarios where “a user’s self-custodied on-chain funds are attacked,” reimbursement responsibility today depends far more on the issuer’s voluntary pledge than on any statutory requirement — which is exactly why Gnosis’s “pledge” matters so much, and why it needs to be watched closely.
Key Milestones Worth Watching Next
- Disclosure of the amount stolen: whether Gnosis provides a specific figure within a week. The longer the amount stays undisclosed, the more caution is warranted.
- Reimbursement mechanism: will users be reimbursed in the original asset or in GNO tokens? In installments or all at once? This determines how much users actually get back.
- Post-incident audit: whether a third-party security firm is engaged to produce a report, and whether the root cause is made public.
- EU regulatory response: whether any EMI regulator issues a letter or inquiry over this incident — this would become a bellwether for similar products.
Editorial Recommendations
- Current Gnosis Pay users: before reimbursement details are announced, consider moving any wallet balance beyond your near-term spending needs out of the wallet, and review and revoke any unnecessary contract approvals. Don’t keep a high balance sitting there just because “full reimbursement” has been promised.
- Users of on-chain cards such as OneKey Card and Ledger Crypto Life: this incident doesn’t affect you directly, but it’s a good moment to review your contract approvals.
- Custodial USDT card users: no action needed. If you’re weighing self-custody versus custodial approaches for security reasons, you can compare the architectural trade-offs across different cards in our 2026 Top 5 Cards.
- Anyone planning to newly sign up for Gnosis Pay: consider holding off for 30 days, and wait for the reimbursement to land and the audit report to be published before deciding whether to sign up.
In one line: on-chain cards have written “security” into their sales pitch, but security is a process that has to be proven continuously — not a slogan. Pledging reimbursement is a good start; delivering it is the actual answer.