Five Attacks on x402 Agentic Payment Protocol

TL;DR

This paper analyzes the x402 payment protocol, revealing five practical vulnerabilities through formal analysis and empirical testing, and proposes mitigations.

Contribution

It provides the first formal and empirical security analysis of x402, identifying critical vulnerabilities and suggesting practical fixes.

Findings

All five identified attacks are practical and can cause unpaid or denied payments.

The attacks affect authorization, binding, replay protection, and web-layer handling.

Mitigations are proposed to address the vulnerabilities.

Abstract

The x402 protocol revives the HTTP 402 Payment Required status code to enable web-native micropayments across APIs, content, and agents. It combines synchronous HTTP authorization with asynchronous blockchain settlement and introduces a cross-layer attack surface absent from conventional web and on-chain payments. In this paper, we formally analyze x402 and empirically show that it is vulnerable in both design and implementation. We present five concrete attacks that reveal weaknesses in authorization, binding, replay protection, and web-layer handling, showing that x402 is vulnerable across multiple stages of the payment workflow. We validate these attacks through a reproducible testbed on local chains, Base Sepolia, and live endpoints and further audit three open-source SDKs and endpoints. Our results show that all five attacks are practical and can cause either unpaid service or paid-but-denied outcomes. We also propose practical mitigations.