A few days after its launch, the cross-layer protocol x402bridge suffered a security breach that led to more than 200 users losing their USDC holdings.
On October 28, Web3 security firm GoPlus Security raised an alert through its Chinese social media account, warning users of unusual authorisations linked to x402bridge.
The exploit, which drained about $17,693 worth of USDC, has prompted renewed scrutiny over how private key leaks and excessive authorisations continue to expose decentralised protocols to attacks.
1/ #x402 大坑❗️ 过度(无限)授权要你命……
x402跨链协议 @402bridge 疑似被盗,合约 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 的 Creator 把 Owner转给了0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F,然后新 Owner调用合约中 transferUserToken 方法转移所有已授权用户钱包剩余的USDC。
GoPlus uncovers suspicious authorisations
GoPlus Security identified that the contract creator, beginning with 0xed1A, transferred ownership to an address starting with 0x2b8F.
This address was granted administrative privileges previously held by the x402bridge team, enabling it to modify key settings and transfer assets.
Shortly after assuming control, the new address used a function called “transferUserToken” to drain all USDC from wallets that had granted prior authorisation to the contract.
The 0x2b8F address moved approximately $17,693 worth of USDC before converting the stolen tokens into ETH. The converted funds were later sent to the Arbitrum network through several cross-chain transactions.
GoPlus advised affected users to immediately cancel any ongoing authorisations and verify official project addresses before approving further transactions.
Security experts suspect private key leak
On-chain investigators and security firms, including SlowMist, reported that the likely cause of the exploit was a private key leak, though insider involvement could not be dismissed.
Following the breach, all x402bridge operations were halted, and the project’s website went offline. The official x402bridge account confirmed the security incident, stating that both team test wallets and main wallets had been compromised.
The team said it has reported the case to law enforcement and is working with investigators to trace the source of the leak.
The protocol clarified that the x402 mechanism requires users to sign or approve transactions through a web interface. The authorisation is then sent to a backend server responsible for extracting funds and minting tokens.
The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, finally returning a result to the user.
When we onboard to x402scan.com,
During onboarding, private keys are stored on the server to facilitate contract method calls. This step, according to the team, exposes admin privileges because the private key remains connected to the internet, creating potential vulnerabilities.
Rising usage of x402 before the exploit
The attack came at a time when x402 transactions were recording rapid growth. On October 27, the market value of x402 tokens exceeded $800 million for the first time.
Coinbase’s x402 protocol also processed about 500,000 transactions in a single week, reflecting a surge of more than 10,780% compared to the previous month.
The protocol’s ability to facilitate payments using HTTP 402 Payment Required status codes has been hailed as a bridge between human and AI-driven transactions, enabling instant stablecoin payments for APIs and digital content.
However, the recent breach underscores persistent security concerns across Web3 protocols that rely on user authorisations.
GoPlus reiterated that users should only approve the required amount rather than granting unlimited permissions and should frequently review and revoke unnecessary authorisations.
Next steps for affected users and the investigation
In its official update, the x402bridge team said it is working with law enforcement agencies to track the stolen assets and strengthen internal security measures.
While no recovery timeline has been announced, the incident serves as another reminder for both developers and users to prioritise private key safety and conduct regular audits of authorisation systems.
The breach highlights a recurring weakness in blockchain protocols that depend heavily on user authorisation layers and internet-connected admin keys.
Security experts have warned that even protocols with strong on-chain architecture can remain exposed if backend key management is not properly secured.
The post Over 200 users lose USDC in x402bridge hack as GoPlus flags private-key breach appeared first on Invezz
