Paid-agent security teardown

Agents are about to touch your money flow. Make it hard to spoof.

We hunt the places a paid API, MCP server, or x402 demo can mischarge, double-charge, leak compute, fake receipts, or let payment metadata become policy.

Check my endpoint RISK token View proof repo Agent money map

free triage open

1. Spoofed payment state Can a caller make your app believe payment happened, happened for the wrong resource, or happened for a different action?

2. Replay and double-charge Can the same proof, retry, nonce, or receipt be reused across calls or charged twice after a failure?

3. Free compute leakage Can unpaid callers trigger expensive work before settlement, or shift cost to you through failed payment paths?

What you get

Send the endpoint. We return the first payment-risk findings.

We hit the public surface like a buyer agent and a hostile integrator: discovery, 402 challenge, payment proof, retry, receipts, tool output, docs, and listing claims. You get concrete blockers, not theory.

Free triage Three concrete blockers from your endpoint, repo, docs, or launch page.

$250 risk audit Prioritized findings with buyer impact, exploitability, and exact fix path.

$500 sprint We package the first hardening path: receipt shape, docs, replay tests, or patch plan.

Failure modes we look for

Prompt-injected payment metadata Payment payloads, MCP descriptions, and skill files should not become executable policy.

Decorative receipts Receipts need to bind payer, receiver, tool, arguments hash, output hash, amount, network, and expiry.

Wrong-resource payment Payment proof must bind to the exact action or resource, not only the provider or domain.

Settlement-before-work bugs We check whether work runs before settlement, or whether failures leave no clear refund/non-charge state.

Bug-bounty surfaces We separate real PoC candidates from design commentary so you do not waste time submitting noise.

Why now x402 and MCP are moving from demos to real paid-agent surfaces. Attackers arrive before procurement.

Proof target We built a Hedera/x402 MCP gate repo and are actively hunting receipt-binding bugs.

Live marker Receipt Risk / RISK is the public marker for this receipt, replay, and paid-agent trust surface.

Best buyer Paid APIs, MCP servers, x402 demos, agent marketplaces, data products, and costly hosted workflows.

Bottom line

If agents can pay you, agents can also misunderstand, replay, spoof, or dispute you.

We turn that into a short fix list before it becomes a support ticket, bounty report, or public trust failure.

Request teardown