GoPlus Security Audit Flags Key Risks in x402 Crypto Projects

Key Highlights

GoPlus Security scanned over 30 projects in the x402 ecosystem, finding that the majority had at least one high-risk issue.
The most frequent vulnerabilities were Excessive Authorization (owner can drain funds) and Unlimited Minting (destroying token value).
The audit follows the October 28 exploit of 402bridge, where attackers used excessive authorization to steal USDC from over 200 user accounts.

A new security report has raised concerns about the fast-expanding x402 ecosystem, a collection of cryptocurrency projects built around an attempt to revive a long-ignored part of the early internet: the HTTP 402 “Payment Required” status code.

The idea behind x402 is simple on paper. When the web was originally designed, HTTP 402 was intended to signal that a user must pay before accessing a resource. The code was never widely implemented, but developers in the crypto sector have revived the concept to enable automated payments at the protocol level.

Over the past several months, dozens of projects have adopted the 402 theme, from basic tokens to cross-chain payment tools.

As interest grew—boosted by mentions from major tech and crypto companies—so did speculation. Many of the newest additions to the ecosystem are meme-style tokens launched quickly to capitalize on the trend, often without basic security checks.

Now, GoPlus Security, a blockchain security company known for running automated risk-scanning services and wallet-level security tools, has published a review of more than 30 x402-related projects. The company says the goal of the scan was to map out the types of risks appearing repeatedly as the ecosystem expands.

What GoPlus found

GoPlus used its internal AI-assisted auditing engine to examine x402 projects listed in the x402 sections of Binance Wallet, OKX Wallet, and community-flagged lists. According to the company, the majority of projects scanned showed at least one high-risk issue.

https://t.co/0oY7BaKehe
— GoPlus Security 🚦 (@GoPlusSecurity) November 17, 2025

The report identifies several categories of vulnerabilities that appeared frequently:

Excessive Authorization

Some contracts give owners or administrators the ability to move tokens that belong to the contract or its users. This means the person or group controlling the contract could withdraw funds at any time.

Signature Replay

Some projects use digital signatures to approve actions but do not include protections like nonces or expiration times. Because of this, the same signature can be used again to perform unauthorized actions.

Honeypot Structures

Some contracts hide owner-only functions or special conditions that block user withdrawals after initial interaction, making the risk non-obvious to early users.

Unlimited Minting

Some token contracts lack proper restrictions on mint functions, allowing anyone, or a special account, to create unlimited tokens, which reduces the value of existing tokens and can mess up the project.

October 28: The cross-chain protocol 402bridge was exploited because of excessive authorization. Attackers moved USDC from more than 200 user accounts.
November 12: The project Hello402 (@Xlayer402) had unlimited minting, centralization issues, and low liquidity. These problems caused the token’s price to fall.

Project-specific findings

GoPlus listed several contracts showing high-risk behavior, illustrating a pattern where control is concentrated in a single party or token creation is unrestricted:

FLOCK (0x5ab3): “The transferERC20 function allows the owner to extract any amount of any token from the contract.”
x420 (0x68e2): “The crosschainMint function can mint tokens without restrictions.”
U402 (0xd2b3): “The mintByBond function allows a bond to mint tokens without restrictions.”
MRDN (0xe57e): “The withdrawToken function allows the owner to extract any amount of any token from the contract.”
PENG (0x4444ee, 0x444450, 0x444428): “The manualSwap function allows the owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
x402Token (0x40ff): “The transferFrom function bypasses allowance checks for special accounts.”
x402b (0xd8af5f): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
x402MO (0x3c47df): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
H402 (Old) (0x8bc76a): “The withdrawDevToken function allows the owner to directly mint tokens, and addTokenCredits+redeemTokenCredits functions enable unlimited minting.”

A growing sector with uneven standards

The x402 trend emerged quickly, pulling in developers, traders, and opportunistic token creators at the same time. As with many fast-moving crypto narratives, the pace of launches has outstripped security practices in several parts of the ecosystem.

GoPlus Security, which regularly monitors emerging crypto sectors for wallet-level threats and contract risks, said it intends to continue analyzing x402-related code as new projects appear. The company stated that it is “deeply involved in x402” and that it welcomes inquiries from teams seeking security reviews.

For users, the report serves as a reminder that enthusiasm around a new concept—even one tied to a long-standing internet idea—does not necessarily come with reliable technical safeguards.

Also Read: Is Saylor’s Bitcoin Liquidation Risk Real? A Quick X Rundown

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!