x402 Ecosystem Faces Security Risks, GoPlus Security Reports
A recent security audit highlights major vulnerabilities in the fast-growing x402 crypto ecosystem. This collection of projects revives the HTTP 402 “Payment Required” status code concept.
Originally designed to require payment before accessing web content, HTTP 402 was rarely used. Crypto developers adopted this idea to enable automated payments at the protocol level.
Over months, many projects joined the x402 ecosystem, ranging from tokens to cross-chain payment tools. Some are meme tokens launched quickly, often without adequate security measures.
GoPlus Security Audit Results
GoPlus Security scanned over 30 x402-related projects using an AI-driven audit engine. These projects were sourced from Binance Wallet, OKX Wallet, and community lists.
The audit found most projects had at least one high-risk security issue. Key vulnerabilities included:
- Excessive Authorization: Owners can withdraw funds at will.
- Signature Replay: Lack of protections allows reusing digital signatures for unauthorized actions.
- Honeypot Structures: Hidden owner-only functions block user withdrawals.
- Unlimited Minting: Mint functions without limits reduce token value.
Recent Incidents and Project-Specific Risks
- October 28: 402bridge was exploited due to excessive authorization. Attackers stole USDC from over 200 accounts.
- November 12: Hello402 faced unlimited minting and centralization issues, causing a token price drop.
GoPlus highlighted several risky projects showing patterns of concentrated control and unrestricted token minting:
- FLOCK (0x5ab3): Owner can extract any tokens via transferERC20.
- x420 (0x68e2): crosschainMint function allows unlimited minting.
- U402 (0xd2b3): mintByBond function mints tokens without limits.
- MRDN (0xe57e): Owner can withdraw any tokens using withdrawToken.
- PENG (0x4444ee, 0x444450, 0x444428): manualSwap lets owner extract ETH; transferFrom bypasses allowance checks.
- x402Token (0x40ff): transferFrom bypasses allowance checks.
- x402b (0xd8af5f): Owner extracts ETH; transferFrom bypasses allowances.
- x402MO (0x3c47df): Owner extracts ETH; transferFrom bypasses allowances.
- H402 (Old) (0x8bc76a): Owner can mint tokens and perform unlimited minting via addTokenCredits and redeemTokenCredits.
The x402 ecosystem grew rapidly, attracting developers and token creators, but security has lagged behind. GoPlus Security plans to keep monitoring and auditing new projects.
Users should remain cautious and seek projects with verified security measures despite the innovative concept behind x402.
