Recommended

Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
register
BTCC / BTCC Square / CryptotimesIO /
GoPlus Security Exposes Critical Vulnerabilities in 402 Crypto Projects – Here’s What You Need to Know

GoPlus Security Exposes Critical Vulnerabilities in 402 Crypto Projects – Here’s What You Need to Know

Author:
CryptotimesIO
Published:
2025-11-17 06:42:40
12
3

Security firm GoPlus just dropped a bombshell report—402 cryptocurrency projects have glaring security flaws that could put billions at risk.

These aren't minor bugs. We're talking about fundamental vulnerabilities that could lead to catastrophic exploits. The findings come as regulators globally ramp up scrutiny on crypto security practices.

While the report doesn't name specific projects, the sheer volume suggests this isn't just a few bad apples—it's systemic. Remember when 'code is law' was supposed to make finance more transparent? Turns out bad code just makes theft easier.

Crypto's security reckoning is here. Builders who ignore these warnings do so at their own peril—and their investors'.

What GoPlus found

GoPlus used its internal AI-assisted auditing engine to examine x402 projects listed in the x402 sections of Binance Wallet, OKX Wallet, and community-flagged lists. According to the company, the majority of projects scanned showed at least one high-risk issue.

https://t.co/0oY7BaKehe

— GoPlus Security 🚦 (@GoPlusSecurity) November 17, 2025

The report identifies several categories of vulnerabilities that appeared frequently:

Excessive Authorization

Some contracts give owners or administrators the ability to MOVE tokens that belong to the contract or its users. This means the person or group controlling the contract could withdraw funds at any time, either intentionally or by mistake.

Signature Replay

Some projects use digital signatures to approve actions but do not include protections like nonces or expiration times. Because of this, the same signature can be used again in other situations, letting someone perform actions they are not supposed to.

Honeypot Structures

Some contracts may look fine at first, but hide ways for the owner to block withdrawals or take funds. They often include owner-only functions or special conditions that only activate after users interact with the contract, so the risk is not immediately obvious.

Unlimited Minting

Some tokens have mint functions that aren’t properly restricted. This means anyone, or a special account, can create unlimited tokens, which reduces the value of existing tokens and can mess up the project.

Recent x402-Related Incidents

  • October 28: The cross-chain protocol @402bridge was exploited because of excessive authorization. Attackers moved USDC from more than 200 user accounts.
  • November 12: The project Hello402 (@Xlayer402) had unlimited minting, centralization issues, and low liquidity. These problems caused the token’s price to fall.

Project-specific findings

GoPlus listed several contracts showing high-risk behavior. Their explanations are reproduced exactly as written:

  • FLOCK (0x5ab3): “The transferERC20 function allows the owner to extract any amount of any token from the contract.”
  • x420 (0x68e2): “The crosschainMint function can mint tokens without restrictions.”
  • U402 (0xd2b3): “The mintByBond function allows a bond to mint tokens without restrictions.”
  • MRDN (0xe57e): “The withdrawToken function allows the owner to extract any amount of any token from the contract.”
  • PENG (0x4444ee, 0x444450, 0x444428): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
  • x402Token (0x40ff): “The transferFrom function bypasses allowance checks for special accounts.”
  • x402b (0xd8af5f): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
  • x402MO (0x3c47df): “The manualSwap function allows owner to extract ETH from the contract, and the transferFrom function bypasses allowance checks for special accounts.”
  • H402 (Old) (0x8bc76a): “The withdrawDevToken function allows owner to directly mint tokens, and addTokenCredits+redeemTokenCredits functions enable unlimited minting.”

These examples illustrate a pattern: many projects rely on contract structures that concentrate control in a single party or allow unrestricted token creation. 

A growing sector with uneven standards

The x402 trend emerged quickly, pulling in developers, traders, and opportunistic token creators at the same time. As with many fast-moving crypto narratives, the pace of launches has outstripped security practices in several parts of the ecosystem.

GoPlus Security, which regularly monitors emerging crypto sectors for wallet-level threats and contract risks, said it intends to continue analyzing x402-related code as new projects appear. The company stated that it is “deeply involved in x402” and that it welcomes inquiries from teams seeking security reviews.

For users, the report serves as a reminder that enthusiasm around a new concept — even one tied to a long-standing internet idea — does not necessarily come with reliable technical safeguards.

Also Read: Is Saylor’s Bitcoin Liquidation Risk Real? A Quick X Rundown

    

Google News

Mobile Only Image

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.