Security Incident Involving 402bridge Protocol
A significant security incident has been reported involving the 402bridge protocol, where a breach has led to over 200 users losing their USDC due to excessive authorizations. The alert came from GoPlus Security, a company specializing in web3 safety, which notified users via its Chinese social media account on October 28, barely a week following the protocol’s commencement on the blockchain.
Details of the Breach
Investigations revealed that security flaws permitted the unauthorized draining of stablecoins by allowing the manipulation of user funds. Initially, the protocol requires a prior approval step for minting USDC, which was compromised when the ownership of the contract was transferred from an original address (0xed1A) to a new address (0x2b8F). This transfer enabled the new owner to gain extensive administrative controls over the x402bridge’s operations.
Once in control, the entity operating from the 0x2b8F address executed a function known as “transferUserToken,” which effectively withdrew nearly $17,693 worth of USDC from wallets that had provided authorization. Following these thefts, the fraudster exchanged the stolen USDC for Ethereum and subsequently moved the funds to Arbitrum via multiple cross-chain transactions.
Advisements for Users
In light of this breach, GoPlus Security has issued a strong advisement for users connected to the protocol to revoke any active authorizations promptly. The agency encouraged users to verify that authorization requests originate from the legitimate project address, advocate for limiting authorized amounts, and advise against granting unlimited access to contracts.
Context of the Incident
The hack comes at a curious juncture, with the x402 protocol experiencing a surge in activity just the day before, achieving a market capitalization exceeding $800 million and recording 500,000 transactions in a single week, which marked an astounding increase of over 10,000% compared to the previous month. The x402 technology itself enhances digital transactions by allowing both human and AI interactions through the HTTP 402 Payment Required code, facilitating swift payments for APIs and digital content.
Ongoing Investigations
Security analysts believe this breach likely stemmed from a leak of private keys; the exact source of this vulnerability is still under scrutiny, with investigations into potential insider involvement ongoing. Following the incident, 402bridge has ceased all operations and its website is offline while it collaborates with law enforcement to address the situation.
In an official communication, 402bridge confirmed that the exploit indeed arose from a compromised private key that affected multiple team testing and main wallets. “We have reported the incident to law enforcement and will provide the community with timely updates as the inquiry advances,” the protocol stated.
Operational Mechanics
To explain the mechanics of its operations, the protocol clarified that users need to give permissions for transactions through its web interface. These authorizations are processed by a server that mints the tokens, which necessitates the storage of a private key on said server—a potential risk for exposure, thus emphasizing the need for heightened security measures within decentralized finance protocols.
