Tags → #security

x402 Vector 9: amount-string parser fuzzing

10 Apr 2026

x402 amounts travel as JSON strings. "1000", "1e3", " 1000 ", "+1000", "01000" round-trip differently across implementations. Any disagreement between the facilitator's validator and Solana's transfer is monetisable.
x402 Vector 6: AI-agent wallet drain via slow-burn pricing

23 Mar 2026

AI agents on x402 use programmatic keypairs and auto-approve every payment under a price threshold. A service that ramps prices upward slowly after trust is established drains the agent without ever tripping the threshold.
x402 Vector 3: facilitator gas drain

21 Jan 2025

x402 facilitators pay all transaction fees and the spec defines no per-client rate limit. A flood of valid-looking transactions that fail at maximum compute-unit consumption is a per-request economic attack on the facilitator.
x402 Vector 2: partial-signing instruction injection

12 Jan 2025

The x402 client builds and partially signs the entire VersionedTransaction. A facilitator that validates structure but not bytes can co-sign a tx with extra clawback / drain instructions appended after the legitimate transfer.
x402 Vector 1: settlement race condition

3 Jan 2025

Coinbase x402's verify→settle pipeline isn't atomic. A client can submit the same PAYMENT-SIGNATURE to multiple facilitators in parallel, or race the facilitator with a direct on-chain submission. Double-spend within blockhash validity (~60s).
SOLMAL: the x402 attack surface (series intro)

25 Dec 2024

Mapping the attack surface of Coinbase's x402 micropayment protocol on Solana. Series intro covering the verify→settle pipeline, the actor model, the 9 vectors, and the responsible-disclosure timeline.
Rusty Pipes Exploit

28 Jul 2024

Using Rust to inject malicious code into npm packages. And hijack your entire node runtime.
Hungry Git: A Quick Guide to Hacking Orgs and Bots

10 Jul 2024

Recently more and more people are talking about how insecure GitHub is. This article will show you how to exploit GitHub organizations and bots to get what you want.
Rust in Peace: How to Hijack Node.js with a Single Require

4 Jun 2024

Discover how to exploit the Node.js ecosystem with Rust-based supply chain malware. Learn about the vulnerabilities in npm packages and how a single require line can compromise JavaScript projects. Explore security measures to prevent such attacks.
Rusty Pipes

3 Apr 2024

An npm supply-chain exploit that checks which packages you contribute to, then injects a malicious Rust binary into the next release.

Tags → #security

# x402 Vector 9: amount-string parser fuzzing

# x402 Vector 6: AI-agent wallet drain via slow-burn pricing

# x402 Vector 3: facilitator gas drain

# x402 Vector 2: partial-signing instruction injection

# x402 Vector 1: settlement race condition

# SOLMAL: the x402 attack surface (series intro)

# Rusty Pipes Exploit

# Hungry Git: A Quick Guide to Hacking Orgs and Bots

# Rust in Peace: How to Hijack Node.js with a Single Require

# Rusty Pipes

x402 Vector 9: amount-string parser fuzzing

x402 Vector 6: AI-agent wallet drain via slow-burn pricing

x402 Vector 3: facilitator gas drain

x402 Vector 2: partial-signing instruction injection

x402 Vector 1: settlement race condition

SOLMAL: the x402 attack surface (series intro)

Rusty Pipes Exploit

Hungry Git: A Quick Guide to Hacking Orgs and Bots

Rust in Peace: How to Hijack Node.js with a Single Require

Rusty Pipes