{"id":90381,"date":"2025-10-28T18:00:00","date_gmt":"2025-10-28T16:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=90381"},"modified":"2025-10-28T17:03:20","modified_gmt":"2025-10-28T15:03:20","slug":"402bridge-protocol-loses-more-than-17000-usdc","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/402bridge-protocol-loses-more-than-17000-usdc\/","title":{"rendered":"402bridge protocol loses more than 17,000 USDC"},"content":{"rendered":"<p>On October 27, an unknown hacker attacked the 402bridge <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain bridge<\/a> and stole tokens worth 17,693 USDC. A private-key leak also compromised more than a dozen of the team\u2019s test and main wallets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Due to this private key leak, more than a dozen of the team\u2019s test and main wallets have also been compromised (ex. screenshot below). <\/p>\n<p>We have promptly reported the incident to law enforcement authorities and will keep the community informed with timely updates as the\u2026 <a href=\"https:\/\/t.co\/AZfgd1yWKG\">pic.twitter.com\/AZfgd1yWKG<\/a><\/p>\n<p>\u2014 402bridge (@402bridge) <a href=\"https:\/\/twitter.com\/402bridge\/status\/1983042581190853022?ref_src=twsrc%5Etfw\">October 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to GoPlus security experts, the incident stemmed from \u201cexcessive authorisation\u201d before minting. The attacker <a href=\"https:\/\/basescan.org\/tx\/0x089a6336425c6ee6d8954923763cbaeef1173ce44b5c0ab853c85863726e46e2\">changed the owner<\/a> of the compromised smart contract and, using the transferUserToken method, transferred excess USDC to the accounts of more than 200 users. He then drained the <a href=\"https:\/\/forklog.com\/en\/news\/what-are-stablecoins\">stablecoins<\/a>, converted them <a href=\"https:\/\/etherscan.io\/address\/0x2b8f95560b5f1d1a439dd4d150b28fae2b6b361f\">into 4.2 ETH<\/a> and sent the funds to the Arbitrum network.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">1\/ <a href=\"https:\/\/twitter.com\/hashtag\/x402?src=hash&#038;ref_src=twsrc%5Etfw\">#x402<\/a> \u5927\u5751\u2757\ufe0f \u8fc7\u5ea6\uff08\u65e0\u9650\uff09\u6388\u6743\u8981\u4f60\u547d\u2026\u2026<\/p>\n<p>x402\u8de8\u94fe\u534f\u8bae <a href=\"https:\/\/twitter.com\/402bridge?ref_src=twsrc%5Etfw\">@402bridge<\/a> \u7591\u4f3c\u88ab\u76d7\uff0c\u5408\u7ea6 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 \u7684 Creator \u628a Owner\u8f6c\u7ed9\u4e860x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F\uff0c\u7136\u540e\u65b0 Owner\u8c03\u7528\u5408\u7ea6\u4e2d transferUserToken \u65b9\u6cd5\u8f6c\u79fb\u6240\u6709\u5df2\u6388\u6743\u7528\u6237\u94b1\u5305\u5269\u4f59\u7684USDC\u3002\u2026 <a href=\"https:\/\/t.co\/hegqhap3Od\">pic.twitter.com\/hegqhap3Od<\/a><\/p>\n<p>\u2014 GoPlus\u4e2d\u6587\u793e\u533a (@GoPlusZH) <a href=\"https:\/\/twitter.com\/GoPlusZH\/status\/1983015854859338167?ref_src=twsrc%5Etfw \">October 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Experts advised all affected users to revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.<\/p>\n<p>As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend extracts funds and mints tokens.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, finally returning a result to the user.<\/p>\n<p>When we onboard to <a href=\"https:\/\/t.co\/RJ3Cz5txDh\">https:\/\/t.co\/RJ3Cz5txDh<\/a>,\u2026<\/p>\n<p>\u2014 402bridge (@402bridge) <a href=\"https:\/\/twitter.com\/402bridge\/status\/1982860168464650534?ref_src=twsrc%5Etfw\">October 27, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;When connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, as at this stage their key is connected to the internet. If a leak occurs, a hacker can seize these privileges and redirect the user&#8217;s funds to carry out an attack,&#8221; the team of the affected project explained.<\/p>\n<\/blockquote>\n<p>The developers notified law enforcement and are conducting an internal investigation.<\/p>\n<p>According to the <a href=\"https:\/\/x.com\/evilcos\/status\/1983024261339173155\">suggestion<\/a> of SlowMist experts, the breach may have been the work of an insider.<\/p>\n<h2 class=\"wp-block-heading\"><strong>First attack on the x402 ecosystem<\/strong><\/h2>\n<p>The attack is the first publicly reported theft linked to the x402 protocol\u2019s service. The latter is a tool for online payments designed for stablecoin transactions. It also allows <a href=\"https:\/\/forklog.com\/en\/news\/what-are-ai-agents-and-how-do-they-make-life-easier-for-web3-users\">AI agents<\/a> to execute autonomous deals.<\/p>\n<p>Coinbase <a href=\"https:\/\/forklog.com\/en\/news\/coinbase-unveils-payment-technology-for-ai-agents\">unveiled<\/a> the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), used for data exchange between web browsers and servers.<\/p>\n<p>Over a month, on-chain activity on x402 grew <a href=\"https:\/\/forklog.com\/en\/news\/transaction-volume-of-coinbases-x402-protocol-surges-by-10000\">more than tenfold<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Debate over L2 security<\/strong><\/h2>\n<p>Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-solana-sol\">Solana<\/a> co-founder Anatoly Yakovenko debated the security of <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-layer%e2%80%912-solution-in-blockchain\">layer-2 solutions<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">What supporters don\u2019t understand <\/p>\n<p>1) all existing L2s have a permissioned multisig that can override the bridge contract without notice <\/p>\n<p>2) escape hatch isn\u2019t a property of the L2s, it\u2019s the property of the bridge. <\/p>\n<p>3) There is no Eng blocker to build a bridge on solana for\u2026 <a href=\"https:\/\/t.co\/fTyxYQrbx1\">https:\/\/t.co\/fTyxYQrbx1<\/a><\/p>\n<p>\u2014 toly \ud83c\uddfa\ud83c\uddf8 (@aeyakovenko) <a href=\"https:\/\/twitter.com\/aeyakovenko\/status\/1982127006847541297?ref_src=twsrc%5Etfw\">October 25, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Shapiro argued that L2s need not be decentralised because the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-ethereum-eth\">Ethereum<\/a> base layer protects them: users can force inclusion of transactions in blocks, and the risks of centralised administration are offset by L1 mechanisms.<\/p>\n<p>Yakovenko countered that today\u2019s L2s are vulnerable because they depend on <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-multisignature-what-is-a-ring-signature\">multisigs<\/a> that can alter bridge contracts without notifying users and can directly control funds. He contrasted this with Solana validators, who cannot interfere with the network state.<\/p>\n<p>Shapiro noted that modern multisigs, such as in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-zksync\">ZKsync<\/a>, are backed by legal and governance assurances, not just code. Yakovenko\u2019s view is that legal constructs do not eliminate the technical risk of centralised control.<\/p>\n<p>In the thread\u2019s finale, the Solana co-founder said L2s do not inherit Ethereum\u2019s security but instead replicate the vulnerabilities of cross-chain bridges like <a href=\"https:\/\/forklog.com\/en\/news\/hackers-drain-more-than-319-million-from-wormhole-cross-chain-bridge-pool\">Wormhole<\/a>.<\/p>\n<p>Shapiro, for his part, sees L2s as a separate layer of trust trade-offs that, he says, will become more robust as <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-zero-knowledge-proof\">ZK proofs<\/a> advance.<\/p>\n<p>According to Global Ledger experts, the crypto industry\u2019s biggest problem has become <a href=\"https:\/\/forklog.com\/en\/news\/cybercriminals-accelerate-laundering-of-cryptoassets\">the speed of fund withdrawals<\/a> by attackers after hacks. Cross-chain bridges have become the main tool for laundering money.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On October 27, an unknown hacker attacked the 402bridge cross-chain bridge and stole 17,693 USDC.<\/p>\n","protected":false},"author":1,"featured_media":90382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"A hacker drained 17,693 USDC from 402bridge after a private-key leak compromised team wallets.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1321,1210,44,1111,1179,1138],"class_list":["post-90381","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-base","tag-cross-chain-protocols","tag-cybercrime","tag-cybersecurity","tag-layer-2-solutions","tag-opinions"],"aioseo_notices":[],"amp_enabled":true,"views":"172","promo_type":"1","layout_type":"1","short_excerpt":"A hacker drained 17,693 USDC from 402bridge after a private-key leak compromised team wallets.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=90381"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90381\/revisions"}],"predecessor-version":[{"id":90383,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90381\/revisions\/90383"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/90382"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=90381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=90381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=90381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}