On October 27, an unknown hacker attacked the cross-chain bridge 402bridge, stealing tokens worth 17,693 USDC. A private-key leak compromised more than a dozen of the team’s test and main wallets.
According to GoPlus security experts, the incident was caused by “excessive authorisation” before minting. The attacker changed the owner of the compromised smart contract and, using the transferUserToken method, transferred remaining authorised USDC from the wallets of more than 200 users. He then stole the stablecoins, converted them into 4.2 ETH and moved the funds to the Arbitrum network.
Experts recommended that all affected users revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.
As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, before returning a result to the user.
“When connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, since at this stage the key is connected to the internet. If a leak occurs, a hacker will be able to obtain these privileges and reroute the user’s funds to carry out an attack,” the team of the affected project explained.
The developers have notified law-enforcement authorities and are conducting an internal investigation.
SlowMist experts suggested the breach may have been an inside job.
The hack is the first public case of theft linked to the protocol’s x402 service. The latter is a tool for online payments designed for stablecoin transactions. It also allows AI agents to execute autonomous deals.
Coinbase unveiled the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), which is used for data exchange between web browsers and servers.
Within a month, on-chain activity in x402 grew more than tenfold.
Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and Solana co-founder Anatoly Yakovenko debated the security of layer-2 solutions.
Shapiro argued that L2s do not have to be decentralised, since they are secured by the Ethereum blockchain: users can force their transactions to be included in blocks, and the risks of centralised control are offset by L1 mechanisms.
According to Yakovenko, the vulnerability of current L2s lies in their reliance on multisigs, which can change bridge contracts without notice and directly control funds. He contrasted this with validators in Solana, who have no ability to interfere with the network’s state.
Shapiro noted that modern multisigs, for example in ZKsync, are backed by legal and governance guarantees, not just code. Yakovenko, however, argued that legal constructs do not eliminate the technical risk of centralised control.
In the thread’s finale, the Solana co-founder said that L2s do not inherit Ethereum’s security but replicate the vulnerabilities of cross-chain bridges such as Wormhole.
Shapiro, for his part, sees L2s as a distinct layer of trust trade-offs that, he says, will become more reliable with advances in zero-knowledge proofs.
According to experts at Global Ledger, the crypto industry’s main problem has become the speed of fund withdrawals by attackers after hacks. Cross-chain bridges are the primary tool for laundering stolen money.
