GoPlus Security Highlights Key Risks in x402 Crypto Projects

A new security report has raised concerns about the fast-expanding x402 ecosystem, a collection of cryptocurrency projects built around an attempt to revive a long-ignored part of the early internet: the HTTP 402 “Payment Required” status code.

The idea behind x402 is simple on paper. When the web was originally designed, HTTP 402 was intended to signal that a user must pay before accessing a resource. The code was never widely implemented, but developers in the crypto sector have revived the concept to enable automated payments at the protocol level.

Over the past several months, dozens of projects have adopted the 402 theme, from basic tokens to cross-chain payment tools.

As interest grew — boosted by mentions from major tech and crypto companies — so did speculation. Many of the newest additions to the ecosystem are meme-style tokens launched quickly to capitalize on the trend, often without basic security checks.

Now, GoPlus Security, a blockchain security company known for running automated risk-scanning services and wallet-level security tools, has published a review of more than 30 x402-related projects. The company says the goal of the scan was to map out the types of risks appearing repeatedly as the ecosystem expands.

What GoPlus Found

GoPlus used its internal AI-assisted auditing engine to examine x402 projects listed in the x402 sections of Binance Wallet, OKX Wallet, and community-flagged lists. According to the company, the majority of projects scanned showed at least one high-risk issue.

The report identifies several categories of vulnerabilities that appeared frequently:

Excessive Authorization

Some contracts give owners or administrators the ability to move tokens that belong to the contract or its users. This means the person or group controlling the contract could withdraw funds at any time, either intentionally or by mistake.

Signature Replay

Some projects use digital signatures to approve actions but do not include protections like nonces or expiration times. Because of this, the same signature can be used again in other situations, letting someone perform actions they are not supposed to.

Honeypot Structures

Some contracts may look fine at first, but hide ways for the owner to block withdrawals or take funds. They often include owner-only functions or special conditions that only activate after users interact with the contract, so the risk is not immediately obvious.

Unlimited Minting

Some tokens have mint functions that aren’t properly restricted. This means anyone, or a special account, can create unlimited tokens, which reduces the value of existing tokens and can mess up the project.

Recent x402-Related Incidents

• •
  October 28: The cross-chain protocol @402bridge was exploited because of excessive authorization. Attackers moved USDC from more than 200 user accounts.
• •
  November 12: The project Hello402 (@Xlayer402) had unlimited minting, centralization issues, and low liquidity. These problems caused the token’s price to fall.

Project-Specific Findings

GoPlus listed several contracts showing high-risk behavior. Their explanations are reproduced exactly as written:

• •
  FLOCK (0x5ab3): “The transferERC20 function allows the owner to extract any amount of any token from the contract.”
• •
  x420 (0x68e2): “The crosschainMint function can mint tokens without restrictions.”
• •
  U402 (0xd2b3): “The mintByBond function allows a bond to mint tokens without restrictions.”
• •
  MRDN (0xe57e): “The withdrawToken function allows the owner to extract any amount of any token from the contract.”
• •
  PENG (0x4444ee, 0x444450, 0x444428): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
• •
  x402Token (0x40ff): “The transferFrom function bypasses allowance checks for special accounts.”
• •
  x402b (0xd8af5f): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
• •
  x402MO (0x3c47df): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
• •
  H402 (Old) (0x8bc76a): “The withdrawDevToken function allows owner to directly mint tokens, and addTokenCredits+redeemTokenCredits functions enable unlimited minting.”

These examples illustrate a pattern: many projects rely on contract structures that concentrate control in a single party or allow unrestricted token creation.

A Growing Sector with Uneven Standards

The x402 trend emerged quickly, pulling in developers, traders, and opportunistic token creators at the same time. As with many fast-moving crypto narratives, the pace of launches has outstripped security practices in several parts of the ecosystem.

GoPlus Security, which regularly monitors emerging crypto sectors for wallet-level threats and contract risks, said it intends to continue analyzing x402-related code as new projects appear. The company stated that it is “deeply involved in x402” and that it welcomes inquiries from teams seeking security reviews.

For users, the report serves as a reminder that enthusiasm around a new concept — even one tied to a long-standing internet idea — does not necessarily come with reliable technical safeguards.