This study addresses critical security vulnerabilities in the x402 protocol within micropayment scenarios, which may lead to risks such as unauthorized service access or payment without service delivery. For the first time, it systematically identifies and validates five novel attack vectors across the protocol’s cross-layer attack surface, encompassing key components including authorization, binding, replay protection, and web-layer handling. Through formal analysis, experiments on both a local chain and the Base Sepolia testnet, real-world endpoint penetration testing, and security audits of three open-source SDKs, the work successfully reproduces all identified attacks and confirms their practical feasibility. Based on these findings, the paper proposes targeted mitigation strategies to enhance the protocol’s security posture and offers actionable recommendations for its robust implementation.

The x402 protocol revives the HTTP 402 Payment Required status code to enable web-native micropayments across APIs, content, and agents. It combines synchronous HTTP authorization with asynchronous blockchain settlement and introduces a cross-layer attack surface absent from conventional web and on-chain payments. In this paper, we formally analyze x402 and empirically show that it is vulnerable in both design and implementation. We present five concrete attacks that reveal weaknesses in authorization, binding, replay protection, and web-layer handling, showing that x402 is vulnerable across multiple stages of the payment workflow. We validate these attacks through a reproducible testbed on local chains, Base Sepolia, and live endpoints and further audit three open-source SDKs and endpoints. Our results show that all five attacks are practical and can cause either unpaid service or paid-but-denied outcomes. We also propose practical mitigations.