Payment replay is not explicitly prevented across identical requests

[yeastybunks]

Overview

The x402 protocol validates payments per request, but there is currently no explicit safeguard to prevent the same valid payment from being replayed across multiple identical requests. This can lead to unintended repeated access to paid endpoints using a single payment.

Problem Description

If a client captures a valid payment payload (headers/signature) and reuses it for the same endpoint with identical parameters, the middleware may accept the request again if no replay protection is enforced. This is especially problematic for paid APIs that assume one payment equals one successful request.

Expected Behavior

• A payment should be accepted at most once for a given request context.
• Replayed payments should be rejected with a clear error.
• Replay protection behavior should be well-defined and documented.

Steps to Reproduce

1. Send a valid paid request to an x402-protected endpoint.
2. Capture the payment headers/signature.
3. Replay the same request with identical headers.
4. Observe that the request may be accepted again.

Example code

```ts
// First request (valid payment)
fetch("/api/paid", {
  headers: {
    "X-402-Payment": "<signed-payload>",
  },
});

// Second request (replay of the same payment)
fetch("/api/paid", {
  headers: {
    "X-402-Payment": "<signed-payload>",
  },
});

Proposed Solution

• Introduce replay protection by associating each payment with a unique identifier (e.g., nonce, request hash, or payment ID).
• Track consumed payment identifiers for a configurable time window.
• Reject requests that attempt to reuse an already-consumed payment.
• Clearly document replay protection guarantees and limitations.

[0xsnackbaker]

related to #808

[mkmkkkkk]

This is a critical gap. Let me break down the attack surface and a defense-in-depth approach:

What ERC-3009 already gives you
The on-chain transferWithAuthorization function checks that each bytes32 nonce is used exactly once. So at the settlement layer, replay is prevented by the contract itself — you can't execute the same authorization twice.

Where the gap is
The vulnerability is at the resource server layer: if a server verifies a payment via /verify, serves the resource, but the facilitator hasn't settled yet, an attacker can replay the same X-Payment header to a different server instance (or the same one after a restart) and get the resource again — before the nonce is consumed on-chain.

Defense-in-depth:

1. Facilitator-side nonce registry — The facilitator should track (nonce, payer, network) tuples from the moment /verify is called, not just after /settle. Status: VERIFIED → SETTLING → SETTLED | EXPIRED. Any second /verify call with the same nonce returns { isValid: false, invalidReason: "nonce_already_claimed" }.

2. EIP-712 domain separator binding — The verifyingContract + chainId in the EIP-712 domain already prevents cross-chain replay. But resource servers should additionally check that the resource field in PaymentRequirements matches their endpoint, preventing same-chain replay to different services.

3. Tight validAfter/validBefore windows — Shrinking the authorization validity window (e.g., 30-60 seconds) minimizes the replay attack surface. Combined with nonce tracking, this makes replay practically infeasible.

This ties directly into #808 — a shared nonce registry serves both replay prevention and idempotency. Would be worth considering them as a unified "payment lifecycle tracker" in the facilitator spec.