Blockchain security firm PeckShieldAlert has reported a security breach targeting 402Bridge, a recently launched payment protocol built around the x402 mechanism, resulting in the theft of approximately $17,000 in USDC.
The incident, which affected more than 200 users, occurred just days after 402Bridge went live and quickly drew attention from the Web3 security community. PeckShieldAlert confirmed the exploit in a post on X, warning users to revoke any token approvals linked to the compromised contract address “0xed…9FC5.”
According to the 402Bridge team, the exploit originated from a critical design flaw in its backend process. The x402 protocol required users to sign or approve transactions via a web interface that relayed them to a backend server.
This server, which was connected to the internet, used an admin private key to execute contract methods, a setup that inadvertently exposed administrative privileges to attackers.
Blockchain investigators, including SlowMist founder Cos, identified the hacker’s wallet address as “0x2b8F.” The attacker reportedly siphoned off $17,693 in USDC, converted the stolen funds into 4.2 ETH, and transferred them through Arbitrum via multiple cross-chain transactions to obfuscate the trail.
GoPlus Security also issued a warning on its Chinese social media account, alerting users to revoke authorizations associated with 402Bridge. The firm noted that the attacker exploited a function called “transferUserToken”, which enabled the unauthorized draining of USDC from user wallets that had previously granted approvals.
Security experts have since advised users to verify contract addresses before granting permissions, avoid unlimited token approvals, and routinely revoke unnecessary authorizations.
The 402Bridge breach underscores the persistent vulnerabilities in emerging cross-chain payment protocols, emphasizing the need for stronger backend security and key management practices in the fast-evolving decentralized finance ecosystem.