Хакер похитил $17,7K из 402bridge: угроза безопасности кроссчейн-мостов Translation: Hacker steals $17.7K from 402bridge: threat to cross-chain bridge security

On October 27, an unidentified hacker launched an attack on the cross-chain bridge 402bridge, stealing tokens worth 17,693 USDC. The private key leak compromised over a dozen of the team’s test and main wallets.

Security experts from GoPlus attributed the incident to «excessive authorization» prior to the issuance of coins. The attacker changed the owner of the compromised smart contract and, using the transferUserToken method, transferred excess USDC to the accounts of more than 200 users. Following that, they stole stablecoins, converted them to 4.2 ETH, and transferred them to the Arbitrum network.

Experts advised all affected users to revoke authorization in the smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.

According to 402bridge, the x402 resolution mechanism requires users to sign or approve transactions through a web interface, which are then sent to an internal server. Once there, the funds are extracted, and coins are issued.

«When connecting to the site, we need to store the private key on the server to call the contract methods. This step can expose administrative rights, as at this stage, their key is connected to the internet. If a leak occurs, a hacker could seize those rights and redirect user funds for an attack,» explained the affected project’s team.

The developers have notified law enforcement about the incident and are conducting an internal investigation.

According to experts from SlowMist, the breach may have been orchestrated by someone with insider knowledge.

This incident marks the first public case of fund theft associated with the x402 protocol service, which is a tool for online payments intended for transactions with stablecoins. It also allows AI agents to conduct autonomous trades.

Coinbase introduced this project in May. The solution is based on the HyperText Transfer Protocol (HTTP), which is used for data exchange between web browsers and servers.

Over the past month, on-chain activity in x402 has surged by more than tenfold.

Two days before the incident with 402bridge, crypto researcher Gabriel Shapiro and co-founder of Solana Anatoly Yakovenko debated the security of layer 2 solutions.

Shapiro asserted that L2 solutions do not have to be decentralized since there is inherent protection from the Ethereum blockchain: users can compel transaction inclusion in blocks, and the risks of centralized governance are mitigated by L1 mechanisms.

Yakovenko countered that the vulnerability of current L2s lies in their reliance on multi-signatures, which can alter bridge contracts without notifying users, thus directly controlling funds. He contrasted this with Solana validators, who are unable to interfere with the network’s state.

Shapiro remarked that modern multi-signatures, for instance in ZKsync, are backed by legal and governance assurances, not just code. However, Yakovenko maintained that legal structures do not eliminate the technical risk of centralized control.

In the finale of the thread, the Solana co-founder claimed that L2s do not inherit Ethereum’s security but replicate the vulnerabilities of cross-chain bridges like Wormhole.

Shapiro views L2s as a separate level of trust compromises, which will become more secure with the advancement of zero-knowledge proofs.

It’s worth noting that experts from Global Ledger consider that the main issue in the crypto industry is the speed at which criminals withdraw funds after hacks. Cross-chain bridges have become the primary tool for hackers to launder money.