x402 Security Audit

Flat-fee security audits for x402 integrations, gateway routes, and the contracts behind them, in three tiers from three thousand dollars.

Audited against x402 v2 spec 12 archetype lab Slither Foundry Echidna hss-sniffer
01 · Why It Matters

The x402 Attack Surface Is Wider Than It Looks

x402 lets agents pay per API call in stablecoins, and the protocol has stabilized at v2 under the Linux Foundation while real money already moves across the network. The flip side is that every new x402 service inherits the security surface of HTTP, on-chain settlement, agent identity, and signed-payment verification all at once. A single missing nonce check, a poorly handled facilitator response, or a misconfigured CAIP-2 network is the kind of bug that drains a wallet in production.

We audit x402 integrations with three tools we own. Our security lab models twelve attack archetypes against working exploits and patches, our hss-sniffer static analyzer scans contracts against those archetypes alongside the Slither rule set and maps every finding to a remediation walkthrough, and we operate BitBooth, a multi-chain x402 gateway running in production on Base mainnet settling real USDC through the Coinbase CDP Facilitator. Because we run the surface ourselves, we know which classes of bug actually happen and which are only theoretical.

02 · Three Tiers

Pick the Depth You Need

Each tier is flat-fee with a written delivery date. No hourly creep, and no surprise invoices.

Tier 1

Quick Scan

$3k
3 to 5 days · flat fee
  • hss-sniffer scan of your Solidity surface
  • Manual review of x402 challenge and verify flow
  • One-page findings memo with severity and fix pointers
  • 30-minute walkthrough call
  • Best for pre-mainnet validation and due diligence
Book a Quick Scan
Tier 2 · Most Common

Full Audit

$7k
1 to 2 weeks · flat fee
  • Everything in Quick Scan
  • Foundry test harness against your contracts
  • Slither static analysis with HSS rule overlays
  • Manual code review by a senior engineer
  • Full written report with reproduction steps and severity scoring
  • Best for protocols going live with on-chain payments
Book a Full Audit
Tier 3

Hardened

$12k
2 to 3 weeks · flat fee
  • Everything in Full Audit
  • Remediation pairing with your engineering team
  • Echidna property-based fuzzing on critical paths
  • Re-audit after fixes until findings clear
  • Public attestation badge for your service
  • Best for high-TVL protocols and agency-facing services
Book Hardened Engagement
03 · Scope

What an x402 Audit Actually Covers

Six areas mapped against the x402 v2 spec, our twelve-archetype security lab, and what we have learned running BitBooth in production.

Challenge and verify flow

402 challenge construction, accepts array correctness, payment-header schema validation, expiry handling, and replay protection through a nonce store and idempotency keys.

On-chain settlement verification

Per-chain adapter correctness across Base, XRPL, Solana, and Stellar, with confirmation depth, payTo validation, amount-base-unit handling, network mismatch detection, and CAIP-2 parsing.

Smart contract surface

Reentrancy, access control, signature replay, oracle manipulation, share inflation, delegatecall storage collision, unchecked external calls, and the rest of the twelve archetypes from our security lab.

Wallet and key management

Agent wallet provisioning, hot wallet exposure, KMS and Secrets Manager handling, multi-sig requirements for high-value routes, and a key rotation runbook.

Tenant isolation and abuse

Per-tenant rate limiting, fraud event tracking, route-level configuration injection, multi-tenant data leakage, and billing edge cases.

Operational resilience

Webhook delivery dead-letter queues, RPC failover, facilitator availability, observability gaps, incident response readiness, and rollback paths.

04 · Tooling

The Stack Behind the Audit

Every tool we use is open source or our own, so the work stays public and auditable with no black boxes.

HSS Security Lab Twelve archetypes with working exploits and patches
hss-sniffer Custom Solidity static analyzer, run across more than 776 production scans
Slither Static analysis with HSS rule overlays
Foundry Test harnesses and fuzz campaigns
Echidna Property-based fuzzing on the Hardened tier
BitBooth Our production x402 gateway on Base mainnet, MIT licensed
05 · Deliverable Sample

What a Finding Looks Like

A sanitized example pulled from our security lab fixtures.

High

Missing nonce-replay guard on x402 verify path

The enforceX402 handler validates the payment-header schema and the on-chain transaction reference, but it does not check the nonce against a seen-nonces store before accepting the payment. An attacker can replay a previously confirmed payment to repeatedly access the same paid resource without sending new on-chain payments.

// Before
const verify = await adapter.verifyPayment({ txHash, expectedTo, ... })
if (verify.ok) return resource

// After
const seen = await nonceStore.has(payment.nonce)
if (seen) throw new ReplayError("nonce already used")
const verify = await adapter.verifyPayment(...)
if (verify.ok) {
  await nonceStore.put(payment.nonce, ttl)
  return resource
}

Recommended fix. Wire a TTL-bounded nonce store backed by DynamoDB, Redis, or Postgres into the verify path, and reject any payment whose nonce has been seen within the payment-window seconds. The same idempotency pattern guards every paid route on BitBooth.

Archetype 03-signature-replay Effort 2 hours Severity High
06 · Why HSS

Why We Are Qualified to Audit Your x402 Stack

We do not audit a surface we have never shipped. Every claim below maps to production code or a public registration record you can read before you hire us.

  • Production x402 gateway operator. We run BitBooth, a multi-chain x402 gateway live in production on Base mainnet settling real USDC through the Coinbase CDP Facilitator, with additional chains supported as settlement rails. We know which bugs actually happen because we operate the surface every day.
  • Public gateway source at github.com/Drock91/bitbooth-gateway, MIT licensed, with @bitbooth/mcp-fetch published on npm. The same engineering bar we hold ourselves to is the one we bring to your code.
  • Twelve-archetype security lab with working exploits and verified patches, paired with hss-sniffer, our custom Solidity static analyzer run across more than 776 production scans. Public, reproducible, and peer-reviewable.
  • SBA-certified SDVOSB, veteran-owned. Heinrichs Software Solutions Company is a Florida corporation certified by the SBA as a Service-Disabled Veteran-Owned Small Business, registered and active in SAM.gov under UEI SXG3SA9JMM47 and CAGE 1ZSB5, with security work built to align with CMMC Level 2 and NIST 800-171.
  • Multi-chain coverage. XRPL classic, XRPL EVM sidechain, EVM networks including Ethereum and Base, Solana, and Stellar. Most audit shops review a single chain, and an x402 service rarely lives on one.

Free 25-Point x402 Security Checklist

Self-review your x402 integration before you book an audit. It covers nonce replay, settlement verification, wallet exposure, tenant isolation, and twenty-one more checks. Free, email-gated, and no obligation.

Get the Checklist Book an Audit Call