BSC x402: Who Actually Built It, and How
Multiple projects claimed x402 support on BSC. We verified every claim on-chain by tracing transactions, decompiling bytecode, reading source code, and checking deployed contracts.
BSC Stablecoins Cannot Use EIP-3009
The default x402 EVM settlement uses EIP-3009 — specifically transferWithAuthorization. A user signs an off-chain message, a facilitator submits it to the token contract, and tokens move without the user ever paying gas.
This works on Base, Polygon, Arbitrum, Optimism, and Avalanche because Circle deployed USDC with full EIP-3009 support on each of those chains.
BSC has no Circle-native USDC. The two dominant stablecoins on BSC — Binance-Peg USDT and Binance-Peg USDC — are bridge wrappers built on a standard ERC-20 template. They implement no transferWithAuthorization and no permit function. Calling either function reverts immediately.
Both BSC stablecoins also use 18 decimals rather than the 6 that every other chain's USDC uses, adding another layer of incompatibility beyond the missing function signatures.
AEON
AEON is a BNB Chain MVB Season 10 graduate. Their facilitator has been processing BSC payments since December 19, 2025, and represents the largest volume of any BSC x402 implementation we found.
Facilitator: facilitator.aeon.xyz/supported
Signer: 0xe91e0E6080B0c19C71B616E628d7B715313D5036
Proxy: 0x555e3311a9893c9b17444c1ff0d88192a57ef13e (EIP-1967)
Implementation: 0xd3326dd0933b013e78e5be6a4263480f526ce6c3 (14,846 bytes)
Bytecode Analysis
AEON's contract source is not public. We decompiled the implementation bytecode using Heimdall v0.9.2 and extracted all function selectors via Foundry's cast selectors.
Confirmed from bytecode constants: OpenZeppelin v5 OwnableUpgradeable, PausableUpgradeable, Initializable, SafeERC20. The contract has full EIP-3009 functions built in (transferWithAuthorization, receiveWithAuthorization, cancelAuthorization, authorizationState).
Not found in bytecode: ReentrancyGuard. The OZ ReentrancyGuard storage slot (0x9b779b17...) is absent from the entire bytecode.
The Forked SDK
We cloned AEON's public repo at github.com/AEON-Project/bnb-x402 and read the source. They fork the entire x402 SDK, shipping their own versions of @x402/core, @x402/evm, @x402/fetch, and every HTTP framework package.
The critical code is in exact/client/scheme.ts. Their ExactEvmScheme class has two signing paths:
// Path 1: standard EIP-3009 (for tokens that support it) private async signAuthorization(authorization, requirements) { // Signs against the token contract address // Standard x402 behavior } // Path 2: BSC fallback (for tokens without EIP-3009) private async signAuthorizationNoSuperEip3009(authorization, requirements) { // Checks allowance, auto-approves if needed const domain = { name: "Facilitator", version: "1", chainId, verifyingContract: getAddress("0x555e3311a9893c9B17444C1Ff0d88192a57Ef13e"), }; // AEON's contract address, hardcoded in client source }
The standard Coinbase @x402/evm package cannot be used with AEON on BSC. The standard SDK signs against the token contract address, while AEON's BSC path signs against AEON's own contract address. Developers must install AEON's forked SDK to use their BSC facilitator.
The contract address is not configurable — it is a string literal in the source. The file also contains console.log debug statements in production code.
AEON has the most BSC x402 volume by a wide margin. Their contract is 14,846 bytes of compiled logic. The tradeoffs are significant: closed source, forked SDK, no ReentrancyGuard found in bytecode, and the scheme name exact does not distinguish their custom BSC flow from standard EIP-3009 chains.
Milady BSC
Milady BSC runs a facilitator at x402.milady-app.com using $U by United Stables, a stablecoin that natively implements EIP-3009 on BSC.
We traced their signer's entire transaction history using binary search on nonce count. Three transactions total were found.
| Date | Amount | Method | TX |
|---|---|---|---|
| Mar 7, 2026 | 0 $U (test) | transferWithAuthorization |
0x2240f0...cade03 |
| Mar 7, 2026 | 1 $U | transferWithAuthorization |
0xc8b404...c665ba |
| Mar 16, 2026 | 1 $U | transferWithAuthorization |
0xc8da01...aa1e62 |
All three are direct calls to transferWithAuthorization on the $U token contract itself, with no custom contract in between. This is standard x402 exact scheme operating exactly as designed on any chain where the token natively supports EIP-3009.
The limitation is the token itself. This approach does not help BSC users whose funds are in USDT or USDC, which together represent the overwhelming majority of BSC stablecoin liquidity.
Claims Without On-Chain Evidence
Several other projects announced BSC x402 support during this period. We checked every one against BSC mainnet and found no deployed settlement infrastructure for any of them.
| Project | Claim | What We Found |
|---|---|---|
| Pieverse | pieUSD with EIP-3009, "first enterprise Web payment standard on BNB" | pieUSD deployed on BSC testnet only. No mainnet contract. GitHub repo is docs, not code. README from Oct 2025 promises specs "soon." |
| Unibase | "First x402 facilitator on BSC," XUSD wrapped stablecoin | No deployment. No GitHub. No contract. No evidence of any kind found on-chain. |
| B402 | "First AI Agent payment standard on BNB Chain" | Referenced in trade press. No deployed contracts found anywhere. No source code. |
| Ultraviolet | Lists BSC with exact and upto schemes |
BSC appears in /supported but the response has empty signers — no wallet addresses listed for any chain. 72 networks claimed total. No assetTransferMethod: "permit2" present. No evidence of actual BSC settlement capability. |
Dexter
Dexter uses Permit2 via the standard @x402/evm SDK. There is one settlement path for BSC, using scheme: "exact" with assetTransferMethod: "permit2". The facilitator sponsors settlement gas. The first-time Permit2 approval requires one on-chain transaction from the payer (~$0.001 BNB). After approval, every payment is gasless. The facilitator can relay the approval via the erc20ApprovalGasSponsoring extension.
| Path | Token | Amount | TX |
|---|---|---|---|
| Permit2 | USDT | 0.01 USDT | 0xd10fdb...5506ea |
Comparison
| Dexter | AEON | Milady BSC | |
|---|---|---|---|
| SDK compatible | Standard SDK | Forked SDK required | Standard SDK |
| Works with USDT/USDC | Yes | Yes | No |
| Any ERC-20 | Yes (Permit2) | Not exposed | No ($U only) |
| Settlement gasless | Yes (Dexter sponsors) | Yes | Yes |
| Source public | Yes | No | N/A |
| On-chain settlements | Verified mainnet | 573,792+ txs | 3 txs found |
"Not exposed" means the property is not accessible via public selectors or documentation. This is distinct from confirmed absence, which requires bytecode analysis as performed above for the ReentrancyGuard check.
Verify It Yourself
Every claim in this report can be reproduced with a BSC RPC endpoint. No API keys needed. No explorer accounts. Standard JSON-RPC is sufficient for all of it.
1. Confirm USDT lacks EIP-3009
curl -X POST YOUR_BSC_RPC -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_call","params":[{
"to":"0x55d398326f99059fF775485246999027B3197955",
"data":"0xe3ee160e"}, "latest"],"id":1}'
# Returns: {"error":{"code":3,"message":"execution reverted"}}
# The function does not exist on BSC USDT.
2. Confirm Permit2 is deployed on BSC
curl -X POST YOUR_BSC_RPC -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getCode","params":[
"0x000000000022D473030F116dDEE9F6B43aC78BA3","latest"],"id":1}'
# Returns non-empty bytecode (9,152 bytes). Permit2 is deployed.
3. Confirm x402ExactPermit2Proxy is deployed on BSC
curl -X POST YOUR_BSC_RPC -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getCode","params":[
"0x402085c248EeA27D92E8b30b2C58ed07f9E20001","latest"],"id":1}'
# Returns non-empty bytecode (2,913 bytes). The x402 proxy is deployed.
4. Check any address's transaction count
curl -X POST YOUR_BSC_RPC -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getTransactionCount",
"params":["0xe91e0E6080B0c19C71B616E628d7B715313D5036","latest"],"id":1}'
# AEON signer: returns 573,792+ (hex)
5. Find transactions via binary search on nonce
Standard JSON-RPC has no "get transactions by address." Use binary search instead:
# 1. Get nonce at different block heights to find when it incremented # 2. getBlock(blockNumber, includeTransactions=true) # 3. Find tx where from === address # 4. getTransactionReceipt(hash) for status and logs # This works on any EVM chain. No explorer API needed.
6. Read EIP-1967 implementation slot
curl -X POST YOUR_BSC_RPC -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getStorageAt","params":[
"0x555e3311a9893c9b17444c1ff0d88192a57ef13e",
"0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc",
"latest"],"id":1}'
# Returns the implementation address behind AEON's proxy
7. Extract function selectors from bytecode
# Get bytecode cast code 0xd3326dd0933b013e78e5be6a4263480f526ce6c3 --rpc-url YOUR_BSC_RPC > bytecode.hex # Extract selectors (requires Foundry) cast selectors $(cat bytecode.hex)
8. Check for ReentrancyGuard
# OZ ReentrancyGuard uses storage slot: # 0x9b779b17422d0df92223018b32b4d1fa46e071723d6817e2486d003becc55f00 # Search for this value in the bytecode. # If absent: no ReentrancyGuard. grep "9b779b17" bytecode.hex
9. Hit facilitator /supported endpoints
curl -s https://facilitator.aeon.xyz/supported | jq .
curl -s https://x402.milady-app.com/supported | jq .
curl -s https://x402.dexter.cash/supported | jq '.kinds[] | select(.network == "eip155:56")'
# Dexter returns one kind for BSC: exact with assetTransferMethod: "permit2"