402bridge

2025-10-26

402bridge.fun domain registered, approximately two days before the protocol ceased service.

2025-10-28

402bridge protocol deployed on-chain; users began granting USDC allowances to contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 in preparation for minting.

2025-10-28

Approximately 13 hours after deployment, admin private key compromised. Contract ownership transferred to attacker address 0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F.

2025-10-28

Attacker calls transferUserToken function, draining 17,693 USDC from 227 user wallets within 28 minutes. Stolen USDC converted to ETH and bridged to Arbitrum.

2025-10-28

GoPlus Security Chinese community issues first public alert about abnormal asset transfers from x402bridge.

2025-10-28

PeckShield issues advisory urging users to revoke USDC allowances to the compromised contract.

2025-10-28

402bridge team publishes statement on X confirming private key leak, reporting to law enforcement, and acknowledging team wallets were also compromised.

2025-10-28

SlowMist's Yu Xian (Cosine) states the attack was caused by private key leakage and notes insider involvement cannot be ruled out; characterizes this as the first publicly known theft linked to x402 protocol services.

2025-10-28

402bridge.fun website taken offline. Protocol ceases operations.

2025-11-17

GoPlus Security publishes audit findings covering 30+ x402 ecosystem projects, finding the majority had at least one high-risk vulnerability; references 402bridge as the catalyst for the broader ecosystem security review.