On October 28, 2025, the GoPlus Chinese community issued a security alert: The x402 cross-chain protocol @402bridge was suspected to have been hacked, resulting in losses of USDC assets for over 200 users.

This article summarizes the theft incident involving the 402Bridge cross-chain protocol, the responses from the official team and various parties, analyzes the causes of the theft, and discusses other hacking cases caused by private key leaks.

I. Incident Recap and Responses from 402Bridge Official and Various Parties

In the early morning, the official 402Bridge X account posted: Based on community feedback, a token theft incident has occurred. Our technical team is currently investigating the entire process. All users are advised to immediately revoke all existing approvals and transfer assets out of their wallets as soon as possible.

Subsequently, the official account continued posting: The x402 mechanism requires users to sign or approve transactions through the web interface, which are then sent to the backend server. The backend server extracts the funds and executes the minting, finally returning the result to the user. When we integrated https:/x402scan.com, we needed to store the private key on the server to call contract methods. This step might expose administrator privileges because the admin private key was connected to the internet at this stage, potentially leading to privilege leakage. If hackers obtain the private key, they can take over these privileges and reallocate user funds to carry out an attack. We are still investigating the specific attack details.

Two hours ago, the official pointed out: Due to this private key leak, more than ten test wallets and the main wallet of the team were also compromised (as shown in the figure below). We have immediately reported this matter to law enforcement and will keep the community informed of the latest developments in a timely manner.

The GoPlus Chinese community reconstructed the theft incident:

The Creator of contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 transferred the Owner to 0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F. Then, the new Owner called the transferUserToken method in the contract to transfer the remaining USDC from all authorized user wallets.

Before minting, users needed to approve USDC for the @402bridge contract, which led to over two hundred users having their remaining USDC transferred out due to excessive approval amounts. 0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F transferred a total of 17,693 USDC from users, then swapped the USDC for ETH and, after multiple cross-chain transactions, bridged it to Arbitrum.

GoPlus Security Recommendations:

1. Users who have participated in this project should revoke relevant approvals for (0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5) as soon as possible.

2. Check if the approval address is the official project address before granting any approval.

3. Only approve the necessary amount; avoid unlimited approvals.

4. Regularly review approvals and revoke unused ones.

X user @EamonSol pointed out: Many current x402 implementations essentially deploy a service on http:/x402scan.com. This service forwards on-chain interactions to the project's server, which then interacts with the blockchain to distribute tokens. This process necessarily requires placing the private key of the on-chain contract on the server. Once the project's server is compromised, all addresses related to the contract are exposed to risk.

X user @fenzlabs pointed out: This case highlights the dangers of unlimited token approvals. Wallets and AI agents need stricter restrictions and more comprehensive monitoring to prevent these rapidly occurring thefts. Never blindly trust new contracts—always check carefully before signing!

II. Cause of the Theft

According to MistTrack's Yu Xian analysis, the attack on the cross-chain bridge project 402Bridge originated from a private key leak, and the possibility of insider involvement cannot be ruled out. The domain 402bridge.fun was registered only two days before it ceased service. Currently, the stolen funds have not shown further movement. This is the first public security incident related to the 402 protocol services. MistTrack's Yu Xian stated that this incident is not a typical case of collective malicious activity by the project team.

"The incident is not typical collective malicious activity by the project team" implies that the attack is more likely due to internal security control failures or precise infiltration by external hackers, rather than deliberate fraud by the project team.

III. Other Hacking Cases Caused by Private Key Leaks

1. Nomad
   In August 2022, the Nomad Bridge was hacked, with nearly all of its $200 million being stolen. After the hack, Moonbeam blocked anyone from making transactions or interacting with smart contracts. The core reason for the attack was an error in the contract verification mechanism, allowing private keys or permission signature logic to be easily forged.

2. Ankr
   In December 2022, an Ankr node private key was leaked. The attacker forged a contract and infinitely minted aBNBc tokens, causing losses of approximately $5 million. Ankr's response: Restored security and collaborated with DEXs to halt trading; formulated and executed a comprehensive compensation plan for the community; determined the attack was initiated by a former employee. Ankr officially confirmed the cause of the hack as "compromise of a deployer key."

3. Platypus Finance
   In February 2023, an attacker exploited an admin private key vulnerability to attack the stablecoin pool, stealing approximately $9 million USDC. The team later recovered some of the assets and stated that the "developer private key was suspected to have been compromised externally."

4. Multichain
   In July 2023, core team members of Multichain "lost contact," and the project's master private keys were suspected to be controlled by a single individual. Subsequently, approximately $126 million in assets were transferred out, making it one of the largest permission-based attack incidents in the history of cross-chain bridges.

5. Exactly Protocol
   In April 2024, an attacker used a deployed private key leaked from a frontend server to replace a contract, stealing approximately $7.3 million. The incident exposed the widespread industry problem of weak private key custody and DevOps process security.

6. UXLINK
   In September 2025, security firm Cyvers' system detected suspicious transactions involving UXLINK worth $11.3 million, which were later confirmed as theft. MistTrack's Yu Xian pointed out: It is highly likely that several private keys related to UXLINK's Safe multi-signature wallet were leaked. The UXLINK theft directly caused the UXLINK token price to plummet by over 70%.