Analysis of the x402bridge attack incident: Private Key leak caused damage to over 200 users, excessive authorization exposes hidden risks.

Web3 security company GoPlus Security reported that the newly launched cross-layer protocol x402bridge suffered a security vulnerability, resulting in over 200 users losing USDC, totaling approximately $17,693. On-chain detective and security company SlowMist have confirmed that the vulnerability is most likely due to the leakage of the administrator's private key, which allowed attackers to gain special management permissions of the contract. GoPlus Security urgently advises all users with wallets on this protocol to revoke ongoing authorizations as soon as possible and reminds users to never grant unlimited authorization to contracts. This incident exposed the potential security risk of private key storage on servers in the x402 mechanism, which could lead to the leakage of administrator permissions.

New Protocol x402bridge Attacked: Excessive Authorization Exposes Private Key Security Risks

The x402bridge protocol encountered a security attack a few days after its launch on-chain, resulting in user fund losses. The mechanism of the protocol requires users to obtain authorization from the Owner contract before minting USDC. In this incident, it was this excessive authorization that led to the transfer of the remaining stablecoins of over 200 users.

Attackers exploit leaked Private Key to steal user USDC

According to observations by GoPlus Security, the attack process clearly points to privilege abuse:

• Permission Transfer: The creator address (0xed1A starting with ) has transferred ownership to the address 0x2b8F, granting the latter special management permissions held by the x402bridge team, including the ability to modify critical settings and transfer assets.
• Execute malicious functions: After gaining control, the new owner address immediately executed a function called “transferUserToken”, allowing that address to withdraw the remaining USD Coins from all wallets previously authorized to the contract.
• Loss and transfer of funds: Address 0x2b8F has stolen a total of approximately 17,693 USD worth of USDC from users, then exchanged the stolen funds for Ethereum and transferred them to the Arbitrum network through multiple cross-chain transactions.

Root Cause of the Vulnerability: Private Key Storage Risks in the x402 Mechanism

The x402bridge team has responded to this vulnerability incident, confirming that the attack was caused by a Private Key leak, which led to the theft of several teams' tests and major Wallets. The project has suspended all activities and closed the website, and has reported to law enforcement.

• Authorization process risk: The protocol previously explained the workings of its x402 mechanism: users sign or approve transactions through a web interface, and the authorization information is sent to the backend server, which then withdraws funds and mints tokens.
• Private Key Exposure Risk: The team admits, “When we go live on x402scan.com, we need to store the private key on the server to call contract methods.” This step may lead to the exposure of the administrator's private key during the phase of connecting to the internet, potentially resulting in permission leakage. Once the private key is stolen, hackers can take over all administrator privileges and redistribute user funds.

A few days before this attack occurred, the usage of x402 transactions saw a surge. On October 27, the market capitalization of the x402 token surpassed $800 million for the first time, and the trading volume of the x402 protocol on mainstream CEX reached 500,000 transactions in a week, a month-on-month increase of 10,780%.

Security Advice: GoPlus urges users to revoke authorization immediately.

Given the seriousness of this leak, GoPlus Security urgently advises users with wallets on this protocol to immediately revoke any ongoing authorizations. The security company also reminds all users:

1. Verify the address: Before approving any transfers, check that the authorized address is the official address of the project.
2. Limit the authorized amount: Only authorize the necessary amount, and do not grant unlimited authorization to the contract.
3. Regular checks: Regularly check and revoke unnecessary authorizations.

Conclusion

The incident of x402bridge suffering a Private Key leak attack has once again sounded the alarm in the Web3 space regarding the risks posed by centralized components (such as servers storing Private Keys). Although the x402 protocol aims to utilize the HTTP 402 Payment Required status code to enable instant, programmable stablecoin payments, the security vulnerabilities in its implementation mechanism must be addressed immediately. For users, this attack serves as an expensive lesson, reminding us to remain vigilant and manage Wallet authorizations carefully when interacting with any blockchain protocol.