Security · 1h ago
x402 payment protocol vulnerable to four attack primitives
The x402 payment layer, handling over 130 million transactions and integrated with Google Cloud, Cloudflare, and Stripe, has a state-synchronization gap between HTTP request and blockchain settlement. A peer-reviewed paper identifies four attack primitives: cross-resource substitution, duplicate-settlement race, allowance overdraft, and denial of settlement. The paper also proves that no output-only pricing can be both fair and bounded against hidden computational token inflation.
Meridian48 take
The structural flaw in x402's design, not just implementation bugs, means that any system built on top inherits these risks, making this a foundational security concern for agent payments.
Read the full reporting
The x402 payment layer has a state-synchronization gap, and four agent-payment attacks fall out of it →
DEV Community
x402agent-payments