Executive Summary
- A report by GoPlus Security has identified severe, recurring vulnerabilities in the rapidly expanding x402 token ecosystem.
- Identified flaws include excessive permissions, unlimited minting functions, and bypass routes that allow for asset drainage.
- A recent exploit on October 28, attributed to these vulnerabilities, resulted in USDC being drained from over 200 wallets.
- The report names several specific tokens, including FLOCK, x420, and PENG, as having critical security risks requiring immediate attention.
A recent security report from GoPlus Security has identified severe vulnerabilities across the rapidly expanding x402 token ecosystem, which have led to recent exploits draining funds from hundreds of user wallets. The analysis highlights a pattern of recurring flaws, including excessive permissions and design weaknesses, that are outpacing the capacity of security audits.
Report Details Systemic Flaws
The GoPlus Security report was compiled using a language-model-based auditing engine to review token permissions, internal routes, and exposed functions. The analysis uncovered recurring patterns of risk, such as excessive authorizations allowing owners to extract assets belonging to others, unlimited minting capabilities, and special routes that bypass standard allowance checks. Other identified issues include signatures vulnerable to replay attacks and architectures that facilitate honeypot-like behaviors.
According to the report, these vulnerabilities are not merely theoretical. On October 28, an x402 cross-chain protocol was exploited due to misconfigured permissions, resulting in an attacker draining USDC stablecoin from more than 200 wallets within minutes. In another instance, the Hello402 token experienced a sharp price drop attributed to its design, which included unlimited minting, centralization risks, and insufficient liquidity.
Specific Tokens Cited for Critical Risks
The security firm listed several projects with critical vulnerabilities. These include FLOCK, which allows an owner to extract any ERC20 token from the contract, and x420, which permits unrestricted minting. Others cited were U402, which delegates unlimited token creation, and PENG, which contains a route to drain ETH combined with an allowance bypass. Similar patterns were noted in x402Token, x402b, and x402MO.
The findings underscore the report’s central message that the x402 ecosystem, which proposes a native micropayment system inspired by the HTTP 402 code, requires a more rigorous and comprehensive review process. GoPlus asserts that every new token must undergo a deep audit before launch to mitigate risks that are growing alongside the protocol’s adoption.