Free-Riding the Agentic Web: A Systematic Security Analysis of x402 Payments

Abstract

The x402 protocol has crossed from prototype to infrastructure for the agentic web, driving 130 million all-time transactions and embedded in Google Cloud, Cloudflare, and Stripe. Yet bridging synchronous HTTP requests with asynchronous blockchain finality creates state-synchronization challenges, and x402's security has so far been examined only in piecemeal vendor disclosures. It is moreover not one artefact but a stack of an HTTP semantic, per-chain schemes, and a long tail of SDK and deployment choices whose required guarantees prior work has not established. We perform a systematic security analysis organized around five invariants grounded in specifications, literature, and vendor expectations, resolving every violation to the responsible layer. We identify four flaw classes: cross-resource substitution, duplicate-settlement race (independently corroborated by subsequent third-party reports), allowance overdraft, and denial of settlement. Against official SDKs and a production deployment, these reach resource-leakage ratios up to 100%. For pay-per-token scheme we prove a structural limit: no output-only pricing can be both fair to honest users and bounded against inflation of the hidden "thinking" tokens, the price of fairness being a 1+Θ manipulation gap. We propose per-flaw mitigations and a defense triple with provable guarantees, cutting per-call reasoning cost by 47% and inverting attacker leverage from 8.7× to 0.9× at only 2.8% overhead. All findings have been disclosed.