Agent payments crossed from prototype to infrastructure faster than the security work did. The x402 protocol now carries more than 130 million transactions and sits inside Google Cloud, Cloudflare, and Stripe. Last week two papers put that infrastructure under a microscope, and one of them is a peer-reviewed conference result, not a preprint.
"Free-Riding the Agentic Web: A Systematic Security Analysis of x402 Payments" (arXiv:2605.30998), accepted at ACM SIGOPS ATC '26, reports resource-leakage ratios up to 100 percent against official x402 SDKs and production deployments. A companion architecture paper, "Agent-to-Agent Finance" (arXiv:2607.00245), makes wallet risk a first-class channel and states it plainly: "a malicious service description can trigger prompt injection, which leads the agent to misinterpret the payment purpose, which causes wallet authorisation to approve an unintended transfer."
These are not one-vendor bugs. They come from something structural.
The gap: synchronous request, asynchronous finality
x402 bridges an HTTP request, which is synchronous and returns in milliseconds, to a blockchain settlement, which is final only after confirmations. Between "the client says it paid" and "the network agrees it paid" there is a window. Everything in that window is attack surface, and anything that settles on top of x402 inherits it.







