402bridge protocol loses more than 17,000 USDC

A hacker drained 17,693 USDC from 402bridge after a private-key leak compromised team wallets.

On October 27, an unknown hacker attacked the 402bridge cross-chain bridge and stole tokens worth 17,693 USDC. A private-key leak also compromised more than a dozen of the team’s test and main wallets.

Due to this private key leak, more than a dozen of the team’s test and main wallets have also been compromised (ex. screenshot below).

We have promptly reported the incident to law enforcement authorities and will keep the community informed with timely updates as the… pic.twitter.com/AZfgd1yWKG

— 402bridge (@402bridge) October 28, 2025

According to GoPlus security experts, the incident stemmed from “excessive authorisation” before minting. The attacker changed the owner of the compromised smart contract and, using the transferUserToken method, transferred excess USDC to the accounts of more than 200 users. He then drained the stablecoins, converted them into 4.2 ETH and sent the funds to the Arbitrum network.

1/ #x402 大坑❗️ 过度（无限）授权要你命……

x402跨链协议 @402bridge 疑似被盗，合约 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 的 Creator 把 Owner转给了0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F，然后新 Owner调用合约中 transferUserToken 方法转移所有已授权用户钱包剩余的USDC。… pic.twitter.com/hegqhap3Od

— GoPlus中文社区 (@GoPlusZH) October 28, 2025

Experts advised all affected users to revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.

As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend extracts funds and mints tokens.

The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, finally returning a result to the user.

When we onboard to https://t.co/RJ3Cz5txDh,…

— 402bridge (@402bridge) October 27, 2025

“When connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, as at this stage their key is connected to the internet. If a leak occurs, a hacker can seize these privileges and redirect the user’s funds to carry out an attack,” the team of the affected project explained.

The developers notified law enforcement and are conducting an internal investigation.

According to the suggestion of SlowMist experts, the breach may have been the work of an insider.

First attack on the x402 ecosystem

The attack is the first publicly reported theft linked to the x402 protocol’s service. The latter is a tool for online payments designed for stablecoin transactions. It also allows AI agents to execute autonomous deals.

Coinbase unveiled the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), used for data exchange between web browsers and servers.

Over a month, on-chain activity on x402 grew more than tenfold.

Debate over L2 security

Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and Solana co-founder Anatoly Yakovenko debated the security of layer-2 solutions.

What supporters don’t understand

1) all existing L2s have a permissioned multisig that can override the bridge contract without notice

2) escape hatch isn’t a property of the L2s, it’s the property of the bridge.

3) There is no Eng blocker to build a bridge on solana for… https://t.co/fTyxYQrbx1

— toly 🇺🇸 (@aeyakovenko) October 25, 2025

Shapiro argued that L2s need not be decentralised because the Ethereum base layer protects them: users can force inclusion of transactions in blocks, and the risks of centralised administration are offset by L1 mechanisms.

Yakovenko countered that today’s L2s are vulnerable because they depend on multisigs that can alter bridge contracts without notifying users and can directly control funds. He contrasted this with Solana validators, who cannot interfere with the network state.

Shapiro noted that modern multisigs, such as in ZKsync, are backed by legal and governance assurances, not just code. Yakovenko’s view is that legal constructs do not eliminate the technical risk of centralised control.

In the thread’s finale, the Solana co-founder said L2s do not inherit Ethereum’s security but instead replicate the vulnerabilities of cross-chain bridges like Wormhole.

Shapiro, for his part, sees L2s as a separate layer of trust trade-offs that, he says, will become more robust as ZK proofs advance.

According to Global Ledger experts, the crypto industry’s biggest problem has become the speed of fund withdrawals by attackers after hacks. Cross-chain bridges have become the main tool for laundering money.