Over 200 wallets compromised in x402bridge hack after private key exposure

A hacker stole approximately $17,693 in USDC from more than 200 users of the x402bridge protocol after obtaining a leaked admin private key that granted unrestricted access to user wallets.

The breach, detected by GoPlus Security on October 28, exploited a critical design flaw in x402’s architecture where admin keys stored on backend servers can authorize unlimited token transfers from any wallet that previously approved the contract.

Detection and immediate impact of the x402bridge hack

On October 28, GoPlus Security alerted the community after observing suspicious authorizations linked to x402bridge. The attacker gained control by exploiting an ownership transfer in the smart contract, enabling a function called “transferUserToken” that drained wallets which had previously authorized the contract.

Stolen funds were then converted into ETH and moved through cross-chain transactions to the Arbitrum network, leaving affected users without their stablecoins.

Security advice following the breach

GoPlus Security urged users to promptly revoke any ongoing authorizations on wallets connected to x402bridge and verify authorized addresses carefully before approving new transactions.

The firm advised, “Only authorize the necessary amount and never provide unlimited access to contracts,” emphasizing the importance of regularly reviewing wallet permissions to prevent further losses.

Growing usage of the x402 protocol before the hack

The 402bridge hack comes amidst a period of rapid adoption for the x402 protocol, which experienced a surge in market value, surpassing $800 million. Coinbase’s x402 protocol recently recorded 500,000 transactions in a single week, marking a 10,780% increase from the previous month.

The protocol facilitates instant, automated payments for APIs and digital content using HTTP 402 Payment Required status codes.

Causes and investigation of the exploit

Blockchain security experts like SlowMist concluded the hack most likely resulted from a private key leak but did not exclude possible insider involvement.

The 402bridge team confirmed the private key leak compromised multiple test and main wallets.

“We have promptly reported the incident to law enforcement authorities and will keep the community updated,” the official statement read, as the team investigates the breach’s full scope.

Technical explanation of the vulnerability

The x402 mechanism requires storing private keys on backend servers to call contract methods after users authorize transactions via the web interface.

This backend architecture means the admin private key remains connected online, creating a risk of leakage. If stolen, hackers can assume full admin privileges, enabling them to redirect user funds arbitrarily  precisely what occurred in this hack.