x402guard checks the web↔chain glue of your x402 / agent-payment integration — replay, allowance, idempotency, unauthenticated treasury broadcast, SSRF webhooks. Slither checks your contract. We check everything around it.
Runs entirely on the server with the same ruleset as the CLI. Nothing is stored.
Heuristic static analysis — expect some false positives/negatives. It complements, it does not replace, a professional smart-contract / ZK audit.
Scored a D or F? Get a human expert to review your x402 integration — and write the fixes.
Book a security review →15 rules drawn from the “Five Attacks on x402” taxonomy and real-world escrow-audit findings — the integration-layer issues that contract-only tools skip.
Agent-payment code moves real USDC over a brand-new attack surface — and money is already being lost.
GoPlus flagged critical vulns in x402-based tokens after exploits drained USDC from 200+ wallets.
The academic taxonomy is published — “Five Attacks on x402”: replay, allowance bypass, web-layer idempotency, authorization binding.
80%+ of deployed contracts never get a professional audit. The integration layer gets even less scrutiny.
| Tool | Checks | Misses |
|---|---|---|
| Slither / MythX | Solidity contract internals | the x402 web↔chain glue |
| OZ Defender / Forta | runtime monitoring (general) | x402-specific flows |
| x402guard | the integration layer, in CI | (complements a full audit) |
Zero dependencies. Fails the build on any critical/high finding. Drop the GitHub Action into any repo that ships agent-payment code.
Text / HTML / JSON reports · SARIF + runtime monitoring on the roadmap.
The grader and CLI are free forever — they drive adoption. You pay when real money is on the line and you want a human in the loop.
Tell me what you're shipping — I'll reply with scope and a fixed quote, usually same day.