402bridge loses over 17,000 USDC

402bridge hacked; 17,693 USDC stolen after private-key leak compromised team wallets.

On October 27, an unknown hacker attacked the cross-chain bridge 402bridge, stealing tokens worth 17,693 USDC. A private-key leak compromised more than a dozen of the team’s test and main wallets.

Due to this private key leak, more than a dozen of the team’s test and main wallets have also been compromised (ex. screenshot below).

We have promptly reported the incident to law enforcement authorities and will keep the community informed with timely updates as the… pic.twitter.com/AZfgd1yWKG

— 402bridge (@402bridge) October 28, 2025

According to GoPlus security experts, the incident was caused by “excessive authorisation” before minting. The attacker changed the owner of the compromised smart contract and, using the transferUserToken method, transferred remaining authorised USDC from the wallets of more than 200 users. He then stole the stablecoins, converted them into 4.2 ETH and moved the funds to the Arbitrum network.

1/ #x402 大坑❗️ 过度（无限）授权要你命……

x402跨链协议 @402bridge 疑似被盗，合约 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 的 Creator 把 Owner转给了0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F，然后新 Owner调用合约中 transferUserToken 方法转移所有已授权用户钱包剩余的USDC。… pic.twitter.com/hegqhap3Od

— GoPlus中文社区 (@GoPlusZH) October 28, 2025

Experts recommended that all affected users revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.

As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, before returning a result to the user.

The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, finally returning a result to the user.

When we onboard to https://t.co/RJ3Cz5txDh,…

— 402bridge (@402bridge) October 27, 2025

“When connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, since at this stage the key is connected to the internet. If a leak occurs, a hacker will be able to obtain these privileges and reroute the user’s funds to carry out an attack,” the team of the affected project explained.

The developers have notified law-enforcement authorities and are conducting an internal investigation.

SlowMist experts suggested the breach may have been an inside job.

First attack on the x402 ecosystem

The hack is the first public case of theft linked to the protocol’s x402 service. The latter is a tool for online payments designed for stablecoin transactions. It also allows AI agents to execute autonomous deals.

Coinbase unveiled the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), which is used for data exchange between web browsers and servers.

Within a month, on-chain activity in x402 grew more than tenfold.

Debate over L2 security

Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and Solana co-founder Anatoly Yakovenko debated the security of layer-2 solutions.

What supporters don’t understand

1) all existing L2s have a permissioned multisig that can override the bridge contract without notice

2) escape hatch isn’t a property of the L2s, it’s the property of the bridge.

3) There is no Eng blocker to build a bridge on solana for… https://t.co/fTyxYQrbx1

— toly 🇺🇸 (@aeyakovenko) October 25, 2025

Shapiro argued that L2s do not have to be decentralised, since they are secured by the Ethereum blockchain: users can force their transactions to be included in blocks, and the risks of centralised control are offset by L1 mechanisms.

According to Yakovenko, the vulnerability of current L2s lies in their reliance on multisigs, which can change bridge contracts without notice and directly control funds. He contrasted this with validators in Solana, who have no ability to interfere with the network’s state.

Shapiro noted that modern multisigs, for example in ZKsync, are backed by legal and governance guarantees, not just code. Yakovenko, however, argued that legal constructs do not eliminate the technical risk of centralised control.

In the thread’s finale, the Solana co-founder said that L2s do not inherit Ethereum’s security but replicate the vulnerabilities of cross-chain bridges such as Wormhole.

Shapiro, for his part, sees L2s as a distinct layer of trust trade-offs that, he says, will become more reliable with advances in zero-knowledge proofs.

According to experts at Global Ledger, the crypto industry’s main problem has become the speed of fund withdrawals by attackers after hacks. Cross-chain bridges are the primary tool for laundering stolen money.