Gnosis Pay's delay module exploit.

This week, attackers drained funds from Gnosis Pay, a self-custody crypto card, by abusing the one feature built to protect users. A delay module sits on a wallet and holds every outgoing transaction for three minutes, giving the owner time to cancel anything they did not approve.

An implementation flaw let the attacker skip that wait entirely. A transaction could be pushed straight out of a wallet that had the module switched on, without ever passing the check. The safeguard became the way in.

The code ran as written. What failed was the assumption that anything reaching the module had already been verified. A control that breaks by letting everything through is worse than no control at all, because people trusted it and left their funds behind it.