{"id":90384,"date":"2025-10-28T18:00:00","date_gmt":"2025-10-28T16:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=90384"},"modified":"2025-10-28T17:27:11","modified_gmt":"2025-10-28T15:27:11","slug":"402bridge-loses-over-17000-usdc","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/402bridge-loses-over-17000-usdc\/","title":{"rendered":"402bridge loses over 17,000 USDC"},"content":{"rendered":"<p>On October 27, an unknown hacker attacked the <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain bridge<\/a> 402bridge, stealing tokens worth 17,693 USDC. A private-key leak compromised more than a dozen of the team\u2019s test and main wallets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Due to this private key leak, more than a dozen of the team\u2019s test and main wallets have also been compromised (ex. screenshot below). <\/p>\n<p>We have promptly reported the incident to law enforcement authorities and will keep the community informed with timely updates as the\u2026 <a href=\"https:\/\/t.co\/AZfgd1yWKG\">pic.twitter.com\/AZfgd1yWKG<\/a><\/p>\n<p>\u2014 402bridge (@402bridge) <a href=\"https:\/\/twitter.com\/402bridge\/status\/1983042581190853022?ref_src=twsrc%5Etfw\">October 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to GoPlus security experts, the incident was caused by \u201cexcessive authorisation\u201d before minting. The attacker <a href=\"https:\/\/basescan.org\/tx\/0x089a6336425c6ee6d8954923763cbaeef1173ce44b5c0ab853c85863726e46e2\">changed the owner<\/a> of the compromised smart contract and, using the transferUserToken method, transferred remaining authorised USDC from the wallets of more than 200 users. He then stole the <a href=\"https:\/\/forklog.com\/en\/news\/what-are-stablecoins\">stablecoins<\/a>, converted them <a href=\"https:\/\/etherscan.io\/address\/0x2b8f95560b5f1d1a439dd4d150b28fae2b6b361f\">into 4.2 ETH<\/a> and moved the funds to the Arbitrum network.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">1\/ <a href=\"https:\/\/twitter.com\/hashtag\/x402?src=hash&#038;ref_src=twsrc%5Etfw\">#x402<\/a> \u5927\u5751\u2757\ufe0f \u8fc7\u5ea6\uff08\u65e0\u9650\uff09\u6388\u6743\u8981\u4f60\u547d\u2026\u2026<\/p>\n<p>x402\u8de8\u94fe\u534f\u8bae <a href=\"https:\/\/twitter.com\/402bridge?ref_src=twsrc%5Etfw\">@402bridge<\/a> \u7591\u4f3c\u88ab\u76d7\uff0c\u5408\u7ea6 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 \u7684 Creator \u628a Owner\u8f6c\u7ed9\u4e860x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F\uff0c\u7136\u540e\u65b0 Owner\u8c03\u7528\u5408\u7ea6\u4e2d transferUserToken \u65b9\u6cd5\u8f6c\u79fb\u6240\u6709\u5df2\u6388\u6743\u7528\u6237\u94b1\u5305\u5269\u4f59\u7684USDC\u3002\u2026 <a href=\"https:\/\/t.co\/hegqhap3Od\">pic.twitter.com\/hegqhap3Od<\/a><\/p>\n<p>\u2014 GoPlus\u4e2d\u6587\u793e\u533a (@GoPlusZH) <a href=\"https:\/\/twitter.com\/GoPlusZH\/status\/1983015854859338167?ref_src=twsrc%5Etfw \">October 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Experts recommended that all affected users revoke approvals on smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.<\/p>\n<p>As 402bridge explained, the x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, before returning a result to the user.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to a backend server. The backend server extracts the funds and performs the minting, finally returning a result to the user.<\/p>\n<p>When we onboard to <a href=\"https:\/\/t.co\/RJ3Cz5txDh\">https:\/\/t.co\/RJ3Cz5txDh<\/a>,\u2026<\/p>\n<p>\u2014 402bridge (@402bridge) <a href=\"https:\/\/twitter.com\/402bridge\/status\/1982860168464650534?ref_src=twsrc%5Etfw\">October 27, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWhen connecting to the site, we need to store the private key on the server to call contract methods. This step may expose administrator privileges, since at this stage the key is connected to the internet. If a leak occurs, a hacker will be able to obtain these privileges and reroute the user\u2019s funds to carry out an attack,\u201d the team of the affected project explained.<\/p>\n<\/blockquote>\n<p>The developers have notified law-enforcement authorities and are conducting an internal investigation.<\/p>\n<p><a href=\"https:\/\/x.com\/evilcos\/status\/1983024261339173155\">SlowMist<\/a> experts suggested the breach may have been an inside job.<\/p>\n<h2 class=\"wp-block-heading\"><strong>First attack on the x402 ecosystem<\/strong><\/h2>\n<p>The hack is the first public case of theft linked to the protocol\u2019s x402 service. The latter is a tool for online payments designed for stablecoin transactions. It also allows <a href=\"https:\/\/forklog.com\/en\/news\/what-are-ai-agents-and-how-do-they-make-life-easier-for-web3-users\">AI agents<\/a> to execute autonomous deals.<\/p>\n<p>Coinbase <a href=\"https:\/\/forklog.com\/en\/news\/coinbase-unveils-payment-technology-for-ai-agents\">unveiled<\/a> the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), which is used for data exchange between web browsers and servers.<\/p>\n<p>Within a month, on-chain activity in x402 grew <a href=\"https:\/\/forklog.com\/en\/news\/transaction-volume-of-coinbases-x402-protocol-surges-by-10000\">more than tenfold<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Debate over L2 security<\/strong><\/h2>\n<p>Two days before the 402bridge incident, crypto researcher Gabriel Shapiro and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-solana-sol\">Solana<\/a> co-founder Anatoly Yakovenko debated the security of <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-layer%e2%80%912-solution-in-blockchain\">layer-2 solutions<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">What supporters don\u2019t understand <\/p>\n<p>1) all existing L2s have a permissioned multisig that can override the bridge contract without notice <\/p>\n<p>2) escape hatch isn\u2019t a property of the L2s, it\u2019s the property of the bridge. <\/p>\n<p>3) There is no Eng blocker to build a bridge on solana for\u2026 <a href=\"https:\/\/t.co\/fTyxYQrbx1\">https:\/\/t.co\/fTyxYQrbx1<\/a><\/p>\n<p>\u2014 toly \ud83c\uddfa\ud83c\uddf8 (@aeyakovenko) <a href=\"https:\/\/twitter.com\/aeyakovenko\/status\/1982127006847541297?ref_src=twsrc%5Etfw\">October 25, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Shapiro argued that L2s do not have to be decentralised, since they are secured by the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-ethereum-eth\">Ethereum<\/a> blockchain: users can force their transactions to be included in blocks, and the risks of centralised control are offset by L1 mechanisms.<\/p>\n<p>According to Yakovenko, the vulnerability of current L2s lies in their reliance on <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-multisignature-what-is-a-ring-signature\">multisigs<\/a>, which can change bridge contracts without notice and directly control funds. He contrasted this with validators in Solana, who have no ability to interfere with the network\u2019s state.<\/p>\n<p>Shapiro noted that modern multisigs, for example in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-zksync\">ZKsync<\/a>, are backed by legal and governance guarantees, not just code. Yakovenko, however, argued that legal constructs do not eliminate the technical risk of centralised control.<\/p>\n<p>In the thread\u2019s finale, the Solana co-founder said that L2s do not inherit Ethereum\u2019s security but replicate the vulnerabilities of cross-chain bridges such as <a href=\"https:\/\/forklog.com\/en\/news\/hackers-drain-more-than-319-million-from-wormhole-cross-chain-bridge-pool\">Wormhole<\/a>.<\/p>\n<p>Shapiro, for his part, sees L2s as a distinct layer of trust trade-offs that, he says, will become more reliable with advances in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-zero-knowledge-proof\">zero-knowledge proofs<\/a>.<\/p>\n<p>According to experts at Global Ledger, the crypto industry\u2019s main problem has become the <a href=\"https:\/\/forklog.com\/en\/news\/cybercriminals-accelerate-laundering-of-cryptoassets\">speed of fund withdrawals<\/a> by attackers after hacks. Cross-chain bridges are the primary tool for laundering stolen money.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On October 27, an unknown hacker attacked the 402bridge cross-chain bridge and stole tokens worth 17,693 USDC.<\/p>\n","protected":false},"author":1,"featured_media":90385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"402bridge hacked; 17,693 USDC stolen after private-key leak compromised team wallets.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1321,1210,44,1111,1179,1138],"class_list":["post-90384","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-base","tag-cross-chain-protocols","tag-cybercrime","tag-cybersecurity","tag-layer-2-solutions","tag-opinions"],"aioseo_notices":[],"amp_enabled":true,"views":"223","promo_type":"1","layout_type":"1","short_excerpt":"402bridge hacked; 17,693 USDC stolen after private-key leak compromised team wallets.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=90384"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90384\/revisions"}],"predecessor-version":[{"id":90386,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/90384\/revisions\/90386"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/90385"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=90384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=90384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=90384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}