The CommonHub Brussels cooperative woke up on May 25 to find its entire treasury gone. €110,000 drained in one transaction.
All of it, the full savings of a community organization, cleared from a SAFE multisig wallet on Gnosis Chain in roughly an hour. The attacker’s address: 0xfFb3CfcECF29703f9429a5d755b0835537Aa771E, still visible on GnosisScan.
Xavier Damman, who identified himself as part of the CommonHub team, posted the alert on X shortly after 6:00 PM UTC. He wrote that the organization had already contacted Monerium, the regulated e-money issuer whose EURe stablecoin was held in the wallet, and described the response as quick. Gnosis Chain was also tagged for help.
The Wallet Was Protected. Until It Wasn’t.
SAFE multisig wallets are built so that no single key can move funds alone. Multiple signatories must approve. That structure is why DAOs, cooperatives and community treasuries trust them.
But the protection only holds when the keys are actually separate.
As Xavier Damman confirmed on X, both signing keys used to authorize the drain belonged to the same person. Worse, they were stored in the same MetaMask wallet on that person’s main computer. One device. One breach point. Two keys compromised simultaneously.
The multisig threshold was bypassed in a single moment.
@penguinpecker1 pointed this out directly in a post on X, writing that if both keys came from the same MetaMask, the safety guarantee of a multisig was entirely defeated. The post got to the core of it: the failure was operational, not technical.
One Name, Two Mistakes
Damman did not deflect from what went wrong. He confirmed two failures publicly.
First: the two keys should have been stored across two different devices. They were not. Second — and this one is harder to explain away — the person those keys belonged to had already left the organization months before the attack. His signing access was never revoked from the SAFE configuration.
The org had trusted that signatory to maintain basic security standards. When he left, nobody followed up to remove him from the wallet.
A DAO treasurer managing community funds on-chain will recognize this failure pattern immediately. Offboarding a team member in a real-world context is straightforward. In Web3 treasury management, access removal has to be an active, on-chain step. It rarely gets done.
Funds Moved, Not Destroyed
There was a narrow reason for some initial hope. As Damman noted in a follow-up post on X, the attacker converted the EURe holdings to xDAI rather than bridging them out immediately. That meant the funds were still visible on Gnosis Chain at the drainer address.
As @deepcryptodive wrote on X, if the funds remained in xDAI, a recovery path might still exist. The suggestion: contact Gnosis directly, reach out to Stefan D George and the Gnosis team, and post on the governance forum as fast as possible.
Damman responded with what the team had already concluded. Blocking the attacker’s address would not work. xDAI can be re-wrapped and remixed quickly, making address-level freezes pointless. The funds, while technically visible on-chain, were effectively out of reach.
Griff Green, known in Web3 circles as griff.eth, replied to the thread suggesting the attacker profile could match North Korean-linked groups. Damman did not confirm this but did not dismiss it either.
What the Chain Shows
On-chain data from GnosisScan at the time of publication shows the drainer address holding a balance of $128,133.06 across five chains, with three recorded transactions. The token transaction history shows the EURe-to-xDAI conversion that Damman described.
The full SAFE transaction history of the compromised CommonHub wallet is publicly accessible on app.safe.global.
This incident sits in a wider pattern. Blockchain security firm Blockaid, in a separate incident also reported on May 25, identified a SquidRouterModule exploit that hit at least 86 Gnosis Safe wallets, draining nearly $3 million. That attack was smart-contract-based. CommonHub’s loss came through something less technical and more preventable.
Recovery Looks Unlikely
Monerium confirmed contact with the team and was described as responsive. Gnosis Chain has not made a public statement on the CommonHub case as of time of publication.
The broader lesson for any small organization, cooperative or community fund running on-chain treasury tools: SAFE’s security model depends entirely on the team maintaining it. Key hygiene. Regular audits of who still holds signing authority. Offboarding procedures that include revoking wallet access. None of that is automatic.
€110,000 was the entire savings of a community. The wallet worked exactly as designed. The people managing it did not.
