Headline: Хакеры похитили более 17 000 USDC у протокола 402bridge из-за утечки приватного ключа Translation: Hackers stole over 17,000 USDC from the 402bridge protocol due to a private key leak

On October 27, an unidentified hacker launched an attack on the cross-chain bridge 402bridge, stealing tokens valued at 17,693 USDC. A leak of a private key compromised over a dozen test and main wallets belonging to the team.

Security experts from GoPlus stated that the breach stemmed from «excessive authorization» before the release of coins. The attacker changed the ownership of the compromised smart contract and, using the transferUserToken method, transferred excess USDC to the accounts of over 200 users. Following this, they stole stablecoins, converted them to 4.2 ETH, and transferred them to the Arbitrum network.

Experts advised all affected users to revoke authorization in the smart contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5.

According to 402bridge, the x402 resolution mechanism requires users to sign or approve transactions through a web interface, which are then sent to an internal server. It is on this server that fund withdrawals and coin issuance occur.

«When connecting to the site, we need to keep the private key on the server to call the contract methods. This step can expose admin rights, as the key is connected to the internet at this stage. If a leak occurs, a hacker can obtain these rights and redirect user funds to conduct an attack,» the affected project’s team explained.

The developers have notified law enforcement about the incident and are conducting an internal investigation.

According to theory from SlowMist experts, the breach may have been orchestrated by an insider.

This attack marks the first public incident of theft associated with the x402 protocol service. The latter is an online payment tool designed for stablecoin transactions. It also facilitates AI agents to make autonomous trades.

Coinbase introduced the project in May. The solution is based on the HyperText Transfer Protocol (HTTP), which is used for exchanging data between web browsers and servers.

In just a month, on-chain activity in x402 surged by more than ten times.

Two days prior to the 402bridge incident, crypto researcher Gabriel Shapiro and Solana co-founder Anatoly Yakovenko debated the security of layer two solutions.

Shapiro asserted that L2s do not have to be decentralized since their security is provided by the Ethereum blockchain: users can demand that transactions be included in blocks, and the risks associated with centralized control are mitigated by L1 mechanisms.

Yakovenko countered that the vulnerability of current L2s lies in their reliance on multisigs, which can alter bridge contracts without notifying users and directly control funds. He contrasted this with Solana validators, who cannot interfere with the network state.

Shapiro noted that modern multisigs, such as those in ZKsync, are backed by legal and governance guarantees, not just code. However, according to Yakovenko, legal structures do not eliminate the technical risks of centralized control.

In the final part of the thread, the Solana co-founder stated that L2s do not inherit Ethereum’s security; rather, they replicate the vulnerabilities of cross-chain bridges like Wormhole.

Shapiro perceives L2s as a separate level of trust compromises that, in his view, will become more secure with the advancement of zero-knowledge proofs.

It’s worth noting that experts from Global Ledger believe the primary issue facing the crypto industry is the speed at which funds are withdrawn by criminals after hacks. Cross-chain bridges have become the main tool for hackers to launder money.