arxiv: 2605.11781 · v1 · submitted 2026-05-12 · 💻 cs.CR

Recognition: 2 theorem links

· Lean Theorem

Five Attacks on x402 Agentic Payment Protocol

Zelin Li , Qin Wang , Zhipeng Wang

Authors on Pith no claims yet

Pith reviewed 2026-05-13 05:47 UTC · model grok-4.3

classification 💻 cs.CR

keywords x402 protocolmicropaymentssecurity attacksHTTP 402blockchain settlementauthorizationreplay protectionpayment workflow

0 comments

The pith

The x402 payment protocol is vulnerable to five attacks that allow either unpaid service or paid-but-denied outcomes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines the x402 protocol, which revives the HTTP 402 status code to enable micropayments for web content and agents using blockchain for settlement. It identifies weaknesses in authorization, binding, replay protection, and web-layer handling that arise from combining synchronous HTTP authorization with asynchronous blockchain settlement. The authors demonstrate five concrete attacks through a testbed on local chains, Base Sepolia, and live endpoints, and by auditing three open-source SDKs. If these attacks are practical, they show that x402 implementations can be exploited to obtain services without payment or to have payments rejected after they are made. This matters because it affects the security of emerging web-native payment systems for APIs and agents.

Core claim

We present five concrete attacks that reveal weaknesses in authorization, binding, replay protection, and web-layer handling in the x402 protocol. This cross-layer design, absent from conventional web and on-chain payments, leaves the protocol vulnerable across multiple stages of the payment workflow. We validate these attacks through a reproducible testbed on local chains, Base Sepolia, and live endpoints and further audit three open-source SDKs and endpoints. Our results show that all five attacks are practical and can cause either unpaid service or paid-but-denied outcomes. We also propose practical mitigations.

What carries the argument

The five attacks on authorization, binding, replay protection, and web-layer handling in the x402 protocol's synchronous HTTP and asynchronous blockchain payment flow.

If this is right

Unpaid service becomes possible when attackers exploit the identified weaknesses in the payment workflow.
Payments can be made on the blockchain but still result in denied service due to binding or authorization failures.
The vulnerabilities affect the protocol at multiple stages from initial authorization to final settlement.
Audits of open-source SDKs confirm the attacks apply to real implementations.
Proposed mitigations can address the weaknesses in authorization and replay protection.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Protocols that bridge web requests and blockchain settlements in similar ways may share these cross-layer vulnerabilities.
Security evaluations of agentic payment systems should include tests for replay and binding attacks.
Widespread use of x402 would require implementing the suggested mitigations to prevent exploitation.
The testbed method provides a model for assessing other hybrid payment protocols.

Load-bearing premise

The local testbed, Base Sepolia, and live endpoints accurately model real-world x402 deployments and that the weaknesses have not been mitigated in production.

What would settle it

Demonstrating that none of the five attacks succeed in granting unpaid service or causing paid-but-denied outcomes on a live x402 deployment would show the vulnerabilities are not practical.

Figures

Figures reproduced from arXiv: 2605.11781 by Qin Wang, Zelin Li, Zhipeng Wang.

**Figure 2.** Figure 2: Illustration of Attack I. In Attack I-A, the server [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: Illustration of Attack II. A client pays once but [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗

**Figure 4.** Figure 4: Illustration of Attack III. A client request passes [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

**Figure 5.** Figure 5: Illustration of Attack IV. The attacker, in E1, crafts [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Attack I-A results with𝑇𝑏=2 s and 5,000 requests per condition. (a) RGP0 grows with reorg probability and delay. (b) Increasing 𝑘 lowers RGP𝑘 to the CI floor but raises 𝑇gf from 1.6 s to 25.1 s. Control cases bound the behavior: conservative execution with an honest facilitator yields no revert-grants, while a Byzantine facilitator reaches the upper bound. The local trace reproduces the failure path: 𝐶 pay… view at source ↗

**Figure 7.** Figure 7: Attack IV selection rates across 12 categories ordered by competition density. Bars: E2 Sybil flooding at [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗

read the original abstract

The x402 protocol revives the HTTP 402 Payment Required status code to enable web-native micropayments across APIs, content, and agents. It combines synchronous HTTP authorization with asynchronous blockchain settlement and introduces a cross-layer attack surface absent from conventional web and on-chain payments. In this paper, we formally analyze x402 and empirically show that it is vulnerable in both design and implementation. We present five concrete attacks that reveal weaknesses in authorization, binding, replay protection, and web-layer handling, showing that x402 is vulnerable across multiple stages of the payment workflow. We validate these attacks through a reproducible testbed on local chains, Base Sepolia, and live endpoints and further audit three open-source SDKs and endpoints. Our results show that all five attacks are practical and can cause either unpaid service or paid-but-denied outcomes. We also propose practical mitigations.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 3 minor

Summary. The manuscript analyzes the x402 protocol for enabling web-native micropayments via HTTP 402 combined with blockchain settlement. It identifies five concrete attacks exploiting weaknesses in authorization, binding, replay protection, and web-layer handling across the payment workflow. These are validated empirically via a reproducible testbed on local chains, Base Sepolia, and live endpoints, plus audits of three open-source SDKs and endpoints, demonstrating that all attacks are practical and can result in unpaid service or paid-but-denied outcomes. Practical mitigations are also proposed.

Significance. If the attacks remain applicable to current deployments, the work is significant for highlighting cross-layer security risks in emerging agentic and blockchain-integrated payment systems. The reproducible testbed, multi-environment validation (local, testnet, live), and SDK audits provide concrete, falsifiable evidence that strengthens the empirical component and offers actionable guidance for protocol hardening.

major comments (1)

[Evaluation] Evaluation section (and live-endpoint description): the claim that all five attacks are practical in real x402 usage depends on the tested live endpoints and SDK versions matching current production code. The manuscript does not provide commit hashes, exact timestamps, or version numbers for the audited endpoints and SDKs, leaving open the possibility that some weaknesses have already been mitigated; this directly affects whether the practicality conclusion holds for the protocol's present state rather than a historical snapshot.

minor comments (3)

[Abstract] Abstract: the list of five attacks is summarized at a high level; adding one sentence naming the core weakness each targets (e.g., 'authorization bypass via missing nonce binding') would improve immediate reader orientation without lengthening the abstract.
The manuscript states that a formal analysis was performed, yet the provided text emphasizes empirical demonstration. If a formal model or threat model appears in an early section, it should be cross-referenced explicitly when describing how each attack violates the model.
Reproducibility: while a testbed is described, the paper should include a direct pointer (e.g., GitHub commit hash) to the exact attack scripts and test configurations used for the Base Sepolia and live-endpoint experiments.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback and positive assessment of the work's significance, empirical validation, and actionable mitigations. We address the single major comment below and will revise the manuscript accordingly.

read point-by-point responses

Referee: [Evaluation] Evaluation section (and live-endpoint description): the claim that all five attacks are practical in real x402 usage depends on the tested live endpoints and SDK versions matching current production code. The manuscript does not provide commit hashes, exact timestamps, or version numbers for the audited endpoints and SDKs, leaving open the possibility that some weaknesses have already been mitigated; this directly affects whether the practicality conclusion holds for the protocol's present state rather than a historical snapshot.

Authors: We agree that the absence of precise version identifiers weakens the ability to confirm the attacks' applicability to the protocol's current state. The original manuscript prioritized describing the attack mechanisms, testbed reproducibility, and results over exhaustive versioning details. In the revised manuscript we will expand the Evaluation section (and the live-endpoint description) to include the exact commit hashes, version numbers, and timestamps for all three audited open-source SDKs and the live endpoints used in the experiments. This addition will allow readers to map the reported findings to a specific code snapshot and to check for any subsequent mitigations. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical attack validation with no derivations or fitted inputs

full rationale

The paper presents five concrete attacks on the x402 protocol and validates them via direct reproducible testing on local chains, Base Sepolia, live endpoints, plus audits of three open-source SDKs. No mathematical derivation chain, predictions, first-principles results, fitted parameters, or self-citations exist that could reduce claims to inputs by construction. The central results are independent empirical demonstrations of practical vulnerabilities, making the analysis self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical security analysis paper. No free parameters, axioms, or invented entities are used.

pith-pipeline@v0.9.0 · 5438 in / 1111 out tokens · 81809 ms · 2026-05-13T05:47:34.349603+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We present five concrete attacks that reveal weaknesses in authorization, binding, replay protection, and web-layer handling... validated through a reproducible testbed on local chains, Base Sepolia, and live endpoints
IndisputableMonolith/Foundation/AlexanderDuality.lean alexander_duality_circle_linking unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Theorem 6 (Authorization Soundness—Conservative Execution)... Pr[Eauth] ≤ εchain(k)

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

35 extracted references · 35 canonical work pages · 5 internal anchors

[1]

x402: An open standard for internet-native payments, 2025

Erik Reppel, Ronnie Caspers, Kevin Leffew, Danny Organ, Dan Kim, and Nemil Dalal. x402: An open standard for internet-native payments, 2025

work page 2025
[2]

SoK: Blockchain Agent-to-Agent Payments

Yuanzhe Zhang, Yuexin Xiang, Yuchen Lei, Qin Wang, Tian Qiu, Yujing Sun, Spiridon Zarkov, Tsz Hon Yuen, Andreas Deppeler, Jiangshan Yu, et al. SoK: Blockchain agent-to-agent payments.arXiv preprint arXiv:2604.03733, 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[3]

Agent2agent (A2A) protocol.Accessible at https:// a2a-protocol.org/lat est/ ., 2025

Google. Agent2agent (A2A) protocol.Accessible at https:// a2a-protocol.org/lat est/ ., 2025

work page 2025
[4]

SoK: Layer-two blockchain protocols

Lewis Gudgeon, Pedro Moreno-Sanchez, Stefanie Roos, Patrick McCorry, and Arthur Gervais. SoK: Layer-two blockchain protocols. InInternational Conference on Financial Cryptography and Data Security (FC), pages 201–226. Springer, 2020

work page 2020
[5]

Sleepy channels: Bi-directional payment channels without watchtowers

Lukas Aumayr, Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Pedro Moreno-Sanchez, and Matteo Maffei. Sleepy channels: Bi-directional payment channels without watchtowers. InACM SIGSAC Conference on Computer and Communications Security (CCS), pages 179–192, 2022

work page 2022
[6]

Microcash: Practical concurrent processing of micropayments

Ghada Almashaqbeh, Allison Bishop, and Justin Cappos. Microcash: Practical concurrent processing of micropayments. InInternational Conference on Financial Cryptography and Data Security (FC), pages 227–244. Springer, 2020

work page 2020
[7]

A402: Bridging web 3.0 payments and web 2.0 services with atomic service channels.arXiv preprint arXiv:2603.01179, 2026

Yue Li, Lei Wang, Kaixuan Wang, Zhiqiang Yang, Ke Wang, Zhi Guan, and Jianbo Gao. A402: Binding cryptocurrency payments to service execution for agentic commerce.arXiv preprint arXiv:2603.01179, 2026

work page arXiv 2026
[8]

Under- standing the impact of APIs behavioral breaking changes on client applications

Dhanushka Jayasuriya, Valerio Terragni, Jens Dietrich, and Kelly Blincoe. Under- standing the impact of APIs behavioral breaking changes on client applications. Proceedings of the ACM on Software Engineering, 1(FSE):1238–1261, 2024

work page 2024
[9]

SoK: Bitcoin layer two (L2)

Minfeng Qi, Qin Wang, Zhipeng Wang, Manvir Schneider, Tianqing Zhu, Shiping Chen, William Knottenbelt, and Thomas Hardjono. SoK: Bitcoin layer two (L2). ACM Computing Surveys (CSUR), 58(3):1–37, 2025

work page 2025
[10]

Cer- berus channels: Incentivizing watchtowers for Bitcoin

Zeta Avarikioti, Orfeas Stefanos Thyfronitis Litos, and Roger Wattenhofer. Cer- berus channels: Incentivizing watchtowers for Bitcoin. InInternational Confer- ence on Financial Cryptography and Data Security (FC), pages 346–366. Springer, 2020

work page 2020
[11]

Probabilistic micropayments with trans- ferability.European Symposium on Research in Computer Security (ESORICS), 2021

Taisei Takahashi and Akira Otsuka. Probabilistic micropayments with trans- ferability.European Symposium on Research in Computer Security (ESORICS), 2021

work page 2021
[12]

Payout races and congested channels: A formal analysis of security in the light- ning network

Ben Weintraub, Satwik Prabhu Kumble, Cristina Nita-Rotaru, and Stefanie Roos. Payout races and congested channels: A formal analysis of security in the light- ning network. InACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2562–2576, 2024

work page 2024
[13]

On the atomicity and efficiency of blockchain payment channels

Di Wu, Shoupeng Ren, Yuman Bai, Lipeng He, Jian Liu, Wu Wen, Kui Ren, and Chun Chen. On the atomicity and efficiency of blockchain payment channels. USENIX Security Symposium (USENIX Sec), 2025

work page 2025
[14]

Time-manipulation attack: Breaking fairness against proof of authority aura

Xinrui Zhang, Rujia Li, Qin Wang, Qi Wang, and Sisi Duan. Time-manipulation attack: Breaking fairness against proof of authority aura. InProceedings of the ACM Web Conference (WWW), pages 2076–2086, 2023

work page 2076
[15]

Does finality gadget finalize your block? a case study of Binance consensus

Rujia Li, Jingyuan Ding, Qin Wang, Keting Jia, Haibin Zhang, and Sisi Duan. Does finality gadget finalize your block? a case study of Binance consensus. USENIX Security Symposium (USENIX Sec), pages 4109–4125, 2025

work page 2025
[16]

Tool prefer- ences in agentic LLMs are unreliable

Kazem Faghih, Wenxiao Wang, Yize Cheng, Siddhant Bharti, Gaurang Srira- manan, Sriram Balasubramanian, Parsa Hosseini, and Soheil Feizi. Tool prefer- ences in agentic LLMs are unreliable. InThe Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 20965–20980, 2025

work page 2025
[17]

ToolTweak: An attack on tool selection in llm-based agents.arXiv preprint arXiv:2510.02554, 2025

Jonathan Sneh, Ruomei Yan, Jialin Yu, Philip Torr, Yarin Gal, Sunando Sengupta, Eric Sommerlade, Alasdair Paren, and Adel Bibi. ToolTweak: An attack on tool selection in llm-based agents.arXiv preprint arXiv:2510.02554, 2025

work page arXiv 2025
[18]

Attractive metadata attack: Inducing LLM agents to invoke malicious tools.arXiv preprint arXiv:2508.02110, 2025

Kanghua Mo, Li Hu, Yucheng Long, and Zhihao Li. Attractive metadata attack: Inducing LLM agents to invoke malicious tools.arXiv preprint arXiv:2508.02110, 2025

work page arXiv 2025
[19]

MCPTox: A Benchmark for Tool Poisoning Attack on Real-World MCP Servers,

Zhiqiang Wang, Yichao Gao, Yanting Wang, Suyuan Liu, Haifeng Sun, Haoran Cheng, Guanquan Shi, Haohua Du, and Xiangyang Li. MCPTox: A benchmark for tool poisoning attack on real-world MCP servers.arXiv preprint arXiv:2508.14925, 2025

work page arXiv 2025
[20]

Os-harm: A benchmark for measuring safety of computer use agents

Ruiqi Li, Zhiqiang Wang, Yunhao Yao, and Xiang-Yang Li. MCP-ITP: An automated framework for implicit tool poisoning in MCP.arXiv preprint arXiv:2601.07395, 2026

work page arXiv 2026
[21]

Sophie Zhang

Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu. MCP security bench (MSB): Benchmarking attacks against model context protocol in LLM agents.arXiv preprint arXiv:2510.15994, 2025. Accepted to ICLR 2026

work page arXiv 2025
[22]

Overthinking loops in agents: A structural risk via MCP tools.arXiv preprint arXiv:2602.14798, 2026

Yohan Lee, Jisoo Jang, Seoyeon Choi, Sangyeop Kim, and Seungtaek Choi. Overthinking loops in agents: A structural risk via MCP tools.arXiv preprint arXiv:2602.14798, 2026

work page arXiv 2026
[23]

Payment request API, 2022

World Wide Web Consortium. Payment request API, 2022. W3C Recom- mendation. Available at https://www.w3.org/TR/2022/REC-payment-request- 20220908/

work page 2022
[24]

Web monetization, 2025

Web Platform Incubator Community Group. Web monetization, 2025. Draft Community Group Report, 13 March 2025. Available at https://webmonetizatio n.org/specification

work page 2025
[25]

Overview, n.d

Open Payments. Overview, n.d. Open Payments (1.2.0) resource server docu- mentation; accessed April 23, 2026

work page 2026
[26]

From REST to MCP: An Empirical Study of API Wrapping and Automated Server Generation for LLM Agents

Meriem Mastouri, Emna Ksontini, Amine Barrak, and Wael Kessentini. From REST to MCP: An empirical study of API wrapping and automated server gener- ation for LLM agents.arXiv preprint arXiv:2507.16044, 2025

work page internal anchor Pith review Pith/arXiv arXiv 2025
[27]

Exploiting the shared storage API.ACM Conference on Computer and Communications Security (CCS), 2025

Alexandra Nisenoff, Deian Stefan, and Nicolas Christin. Exploiting the shared storage API.ACM Conference on Computer and Communications Security (CCS), 2025

work page 2025
[28]

Brick: Asynchronous incentive-compatible payment channels

Zeta Avarikioti, Eleftherios Kokoris-Kogias, Roger Wattenhofer, and Dionysis Zindros. Brick: Asynchronous incentive-compatible payment channels. In International Conference on Financial Cryptography and Data Security (FC), pages 209–230. Springer, 2021. 15

work page 2021
[29]

Syncpcn/psyncpcn: Payment channel networks without blockchain synchrony

Oguzhan Ersoy, Jérémie Decouchant, Satwik Prabhu Kumble, and Stefanie Roos. Syncpcn/psyncpcn: Payment channel networks without blockchain synchrony. InACM Conference on Advances in Financial Technologies (AFT), 2022

work page 2022
[30]

Three attacks on proof-of-stake Ethereum

Caspar Schwarz-Schilling, Joachim Neu, Barnabé Monnot, Aditya Asgaonkar, Ertem Nusret Tas, and David Tse. Three attacks on proof-of-stake Ethereum. In International Conference on Financial Cryptography and Data Security (FC), pages 560–576. Springer, 2022

work page 2022
[31]

Max attestation matters: Making honest parties lose their incentives in Ethereum PoS

Mingfei Zhang, Rujia Li, and Sisi Duan. Max attestation matters: Making honest parties lose their incentives in Ethereum PoS. InUSENIX Security Symposium (USENIX Sec), pages 6255–6272, 2024

work page 2024
[32]

Available attestation: Towards a reorg-resilient solution for Ethereum proof-of-stake.USENIX Security Symposium (USENIX Sec), 2025

Mingfei Zhang, Rujia Li, Xueqian Lu, and Sisi Duan. Available attestation: Towards a reorg-resilient solution for Ethereum proof-of-stake.USENIX Security Symposium (USENIX Sec), 2025

work page 2025
[33]

Quantifying distributional robustness of agentic tool-selection.arXiv preprint arXiv:2510.03992, 2025

Jehyeok Yeon, Isha Chaudhary, and Gagandeep Singh. Quantifying distributional robustness of agentic tool-selection.arXiv preprint arXiv:2510.03992, 2025

work page internal anchor Pith review arXiv 2025
[34]

Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions

Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. Model context protocol (MCP): Landscape, security threats, and future research directions.arXiv preprint arXiv:2503.23278, 2025

work page internal anchor Pith review arXiv 2025
[35]

SoK: Agentic Skills -- Beyond Tool Use in LLM Agents

Yanna Jiang, Delong Li, Haiyu Deng, Baihe Ma, Xu Wang, et al. SoK: Agentic skills–beyond tool use in LLM agents.arXiv preprint arXiv:2602.20867, 2026. Open Science We host our evaluation artifacts at https://anonymous.4open.scie nce/r/x402-attack-FDF1. A Full Proofs of Security Theorems We show the full proofs for the theorem statements in §2.5. A.1 Proof...

work page internal anchor Pith review arXiv 2026