GoPlus has detected an anomalous authentication linked to 402bridge. This resulted in over 200 users losing their USDC due to excessive authentication performed by the protocol.
summary
- The x402bridge protocol was compromised with an administrator’s private key compromised, allowing attackers to steal approximately $17,693 in USDC from over 200 users.
- The hack revealed vulnerabilities related to the x402 mechanism that relies on private keys stored on servers to grant administrative privileges to on-chain addresses, potentially allowing them to over-distribute and approve transactions.
On October 28, Web3 security company GoPlus Security’s Chinese social media account alerted users to a possible security breach related to x402bridge, an x402 cross-layer protocol. This hack occurred just days after the protocol was launched on-chain.
Before minting USDC (USDC), the action must first be approved by an ownership agreement. In this case, over 200 users lost their remaining stablecoins in a series of transfers due to over-confirmation.
GoPlus (GPS) noted that the creator of the contract starting with 0xed1A transferred ownership to address 0x2b8F and granted the new address special administrative privileges (such as changing key settings and moving assets) held by the x402bridge team.
Immediately after gaining control, the new owner address executed a function called “transferUserToken.” This feature allowed the address to drain all remaining USD coins from the wallet that had previously authorized the contract.
402bridge suffered a breach in which hackers leaked USDC from users’ wallets. Source: GoPlus Security
You may also like: After BNB launch, x402 token value exceeds $800 million
In total, the 0x2b8F address drained approximately $17,693 worth of USDC from users before converting the stolen funds into ETH. The newly converted ETH was then transferred to Arbitrum through multiple cross-chain transactions.
As a result of this breach, GoPlus Security recommended that users holding wallets for this protocol cancel any ongoing verifications as soon as possible. The security firm also reminded users to check whether the approved address is the official address of the project before approving a transfer.
Additionally, we recommend that users only approve the amount they need and not give unlimited approvals to their contracts. Overall, you should regularly review your permissions and revoke unnecessary permissions.
This hack occurred just days after the use of x402 transactions began to skyrocket. On October 27th, the market value of the x402 token exceeded $800 million for the first time. Meanwhile, Coinbase’s x402 protocol recorded 500,000 transactions in one week, representing an increase of 10,780% compared to the previous month.
The x402 protocol allows both humans and AI agents to perform transactions using the HTTP 402 Payment Required status code, enabling instant programmatic payments for APIs and digital content. This means you can make instant stablecoin payments via HTTP.
What is the cause of the hacking allegations against 402bridge?
On-chain detectives and blockchain security companies such as SlowMist have concluded that this breach was most likely caused by a private key leak. However, the possibility of insider involvement was not ruled out. Due to this breach, the project has ceased all activities and the website is currently offline.
402bridge’s official account has since addressed this exploit, confirming that it was indeed caused by a private key leak, and confirming that more than a dozen team test wallets and main wallets on the protocol were compromised in the process. The team is currently investigating the incident and has reported it to the authorities.
“We promptly reported this incident to law enforcement and will continue to provide timely updates to the community as the investigation progresses,” 402 Bridge said.
In another post shared earlier, the protocol explained how the x402 mechanism works. Users must sign or approve transactions through the web interface. The authorization is then sent to the backend server, where funds are extracted and tokens are minted.
“When onboarding to x402scan.com, you must store a private key on the server to call contract methods,” the protocol states.
“Because the administrator’s private key is connected to the internet at this stage, this step could expose administrator privileges, potentially leading to privilege leaks,” the team continued.
As a result, if the private key is stolen by a hacker, the hacker can take over all administrative privileges and reallocate user funds to the hacker’s contracts.
You may also like: Coinbase x402 protocol logs 50,000 transactions – 10,000% increase
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
