x402 protocol security research with confirmed PoCs

Pushed the SOLMAL writeup with confirmed proofs-of-concept against the x402 (HTTP 402 micropayment) protocol. Three issues found, all in the handshake between agent and merchant — the protocol assumes the merchant’s response is unforgeable, which is true if you trust the network layer but isn’t if anyone can MITM the agent’s outbound request.

PoCs land on a mock merchant + mock agent; mitigations need protocol-level signing on the 402 response. Coin Center / EFF style: report responsibly, give vendors 90 days, then publish.