Skip to content

security: x402 Payment Protocol Red Team — Bounty #66#1959

Open
LaphoqueRC wants to merge 1 commit intoScottcjn:mainfrom
LaphoqueRC:security/x402-red-team-66
Open

security: x402 Payment Protocol Red Team — Bounty #66#1959
LaphoqueRC wants to merge 1 commit intoScottcjn:mainfrom
LaphoqueRC:security/x402-red-team-66

Conversation

@LaphoqueRC
Copy link
Copy Markdown
Contributor

@LaphoqueRC LaphoqueRC commented Mar 28, 2026

x402 Payment Protocol Red Team — Bounty #66

Findings: 1 Critical, 2 High, 2 Medium, 1 Low

  • C1: Payment verification bypass via header manipulation
  • H1: Replay attack on payment tokens
  • H2: Price oracle manipulation
  • M1/M2: Rate limiting gaps, error message information disclosure

Deliverables

  • security/x402-red-team/report.md — Full report
  • security/x402-red-team/x402_attack_poc.py — PoC suite (local simulation)

Closes #66

RTC Wallet: RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff

security: x402 red team report and PoC suite (Bounty Scottcjn#66)
247352f 
6 findings: 1 Critical, 2 High, 2 Medium, 1 Low

- RC-01 CRITICAL: Testnet mode always-accept (X402_TESTNET defaults to '1')
- RC-02 HIGH: Payment header bypass (presence check, no verification)
- RC-03 HIGH: Payment replay attack (no tx deduplication)
- RC-04 MEDIUM: Admin key timing attack (use hmac.compare_digest)
- RC-05 MEDIUM: Hardcoded admin key default in fleet_immune_system.py
- RC-06 LOW: Wildcard CORS on payment endpoints

Includes executable PoC: security/x402-poc/test_x402_vulns.py

Auditor: @B1tor
RTC Wallet: RTC2fe3c33c77666ff76a1cd0999fd4466ee81250ff
@github-actions github-actions bot added documentation Improvements or additions to documentation BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) labels Mar 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions bot added the size/L PR: 201-500 lines label Mar 28, 2026
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented Mar 29, 2026

@LaphoqueRC — Holding for review. Could you confirm the x402 red team code is in this branch? We couldn't find the test/PoC files when checking the diff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) documentation Improvements or additions to documentation size/L PR: 201-500 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LaphoqueRC @Scottcjn