On October 27, an unknown hacker attacked the 402bridge cross-chain bridge and stole tokens worth 17,693 USDC. A private-key leak also compromised more than a dozen of the team’s test and main wallets.
According to GoPlus security experts, the incident stemmed from “excessive authorisation” before minting. The attacker changed the owner of the compromised smart contract and, using the transferUserToken method, transferred excess USDC to the accounts of more than 200 users. He then drained the stablecoins, converted them into 4.2 ETH and sent the funds to the Arbitrum network.
Experts advised all affected users to revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.
As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend extracts funds and mints tokens.
“When connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, as at this stage their key is connected to the internet. If a leak occurs, a hacker can seize these privileges and redirect the user’s funds to carry out an attack,” the team of the affected project explained.
The developers notified law enforcement and are conducting an internal investigation.
According to the suggestion of SlowMist experts, the breach may have been the work of an insider.
The attack is the first publicly reported theft linked to the x402 protocol’s service. The latter is a tool for online payments designed for stablecoin transactions. It also allows AI agents to execute autonomous deals.
Coinbase unveiled the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), used for data exchange between web browsers and servers.
Over a month, on-chain activity on x402 grew more than tenfold.
Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and Solana co-founder Anatoly Yakovenko debated the security of layer-2 solutions.
Shapiro argued that L2s need not be decentralised because the Ethereum base layer protects them: users can force inclusion of transactions in blocks, and the risks of centralised administration are offset by L1 mechanisms.
Yakovenko countered that today’s L2s are vulnerable because they depend on multisigs that can alter bridge contracts without notifying users and can directly control funds. He contrasted this with Solana validators, who cannot interfere with the network state.
Shapiro noted that modern multisigs, such as in ZKsync, are backed by legal and governance assurances, not just code. Yakovenko’s view is that legal constructs do not eliminate the technical risk of centralised control.
In the thread’s finale, the Solana co-founder said L2s do not inherit Ethereum’s security but instead replicate the vulnerabilities of cross-chain bridges like Wormhole.
Shapiro, for his part, sees L2s as a separate layer of trust trade-offs that, he says, will become more robust as ZK proofs advance.
According to Global Ledger experts, the crypto industry’s biggest problem has become the speed of fund withdrawals by attackers after hacks. Cross-chain bridges have become the main tool for laundering money.
