SOLMAL: the x402 attack surface (series intro) — TELETYPE EDITION | Skill Issue Dev

Mapping the attack surface of Coinbase's x402 micropayment protocol on Solana. Series intro covering the verify→settle pipeline, the actor model, the 9 vectors, and the responsible-disclosure timeline.

Coinbase shipped x402 — a micropayment protocol that piggybacks on HTTP 402 (Payment Required) — in late 2025. It is, on paper, brilliant: AI agents pay for API access via stablecoin micropayments embedded in HTTP headers, the merchant doesn’t need to run a payment processor, and a third-party “facilitator” sponsors gas on Solana so the agent doesn’t need any SOL.

In late 2026 I spent a few weeks staring at the protocol. I came away with 9 distinct attack vectors plus a meta-finding about AI-agent wallets that is, I think, the single biggest risk. This post is the series opener.

The protocol in 30 seconds

Three actors: client (an AI agent with a Solana wallet), resource server (the API the agent wants to call), facilitator (validates payments, sponsors gas, settles on-chain).

The Solana-specific bits:

Client builds a VersionedTransaction with an SPL TransferChecked instruction.
feePayer is the facilitator’s address.
Client only partially signs (their key); facilitator adds the feePayer signature.
USDC mint: EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v. 6 decimals, so "1000" = $0.001.
Compute budget capped at 40,000 CU, max 5 microlamports/CU.
Blockhash valid ~60 seconds (151 slots).

The 9 vectors

#	Vector	Severity	Post
1	Settlement race condition	High	walkthrough
2	Transaction manipulation (partial signing)	High	walkthrough
3	Facilitator gas drain	Medium	walkthrough
4	Blockhash replay window	Medium	(post 6)
5	Facilitator impersonation via feePayer field	Medium	(post 6)
6	AI-agent wallet exploitation	High	walkthrough
7	Header injection / parsing bugs	Medium	(post 6)
8	ATA derivation manipulation	Medium	(post 6)
9	Amount-string parsing	Medium	walkthrough

The five posts in this series cover Vectors 1, 2, 3, 6, 9 in detail. Vectors 4, 5, 7, 8 are noted in the SOLMAL.md research log and will land as a sweep post once I’ve written PoCs for each.

What’s load-bearing about each vector

Vector 1 (Settlement Race). The verify→settle pipeline isn’t atomic. A client can submit the same PAYMENT-SIGNATURE to multiple facilitators in parallel, or race the facilitator’s submission with a conflicting transaction posted directly to Solana. Settlement double-execution lasts as long as the blockhash is valid (~60s).

Vector 2 (Partial Signing). The client builds the entire transaction. The facilitator validates structure but typically doesn’t audit every byte of every instruction. A malicious client appends extra instructions — a token-2022 hook, a clawback, an arbitrary CPI — that fire after the transfer.

Vector 3 (Facilitator Gas Drain). The protocol specifies no per-client rate limit on the facilitator. Crafted transactions that fail validation in the worst possible way (consuming maximum CU before reverting) are still paid for by the facilitator. Economic DoS.

Vector 6 (AI-Agent Wallet). The agent has a programmatic keypair and auto-approves payments below a price threshold. A service that starts at $0.001/req and ramps to$ 0.10/req over 1000 requests drains the wallet without ever crossing the threshold. The threshold check is done per-request, not per-session, not per-vendor.

Vector 9 (Amount Parsing). Amounts in x402 are JSON strings like "1000". Different implementations parse "1000" vs "1e3" vs " 1000 " vs "+1000" vs "01000" differently. Mismatch between facilitator’s validator and Solana’s actual transfer = monetisable.

Disclosure posture

This is public research against an open protocol with multiple independent implementations. I did not test against any specific facilitator without permission. The PoCs target a mock facilitator I wrote in the research/ tree.

For specific vendor implementations:

I have not contacted Coinbase. The protocol is open; the bugs are in the spec, not in any single implementation.
If your team operates an x402 facilitator and any of this looks live in your code: please email me. Bridge: [email protected].
I’ll honour a 90-day embargo if you have a remediation plan.

What’s coming in the series

5 deep-dive posts on the highest-impact vectors:

Settlement race condition — Vector 1, double-spend within blockhash validity
Partial-signing instruction injection — Vector 2, append-and-execute
Facilitator gas drain — Vector 3, economic DoS
AI-agent wallet drain — Vector 6, slow-burn pricing
Amount-string parser fuzzing — Vector 9, JSON-numeric edge cases

Plus a sweep post for Vectors 4, 5, 7, 8 once the PoCs land.

Bibliography

Coinbase Developer Platform. x402 Specification. https://x402.org/
HTTP/1.1: Semantics. RFC 7231 §6.5.2 (402 Payment Required).
Solana Foundation. VersionedTransaction documentation.
Dax911/x402_mal — research repo; SOLMAL.md is the threat-model log.

Series finale: Settlement race condition →