Adding Solana Payments to ElizaOS: What I Learned About SSRF, Floating-Point, and IPv6

I spent the past couple of weeks adding Solana USDC payment support to ElizaOS via the x402 protocol. The payment flow itself was straightforward. The security and edge cases were not. This post is mostly about the latter. Context ElizaOS is an AI agent framework popular in the Solana ecosystem. The x402 protocol (by Coinbase) lets HTTP clients pay for API calls automatically — when a server responds with 402 Payment Required , the client signs a USDC transfer and retries. There was already an EVM-only x402 plugin for ElizaOS ( @elizaos/plugin-x402 ). Coinbase had also shipped @x402/svm — a Solana client implementation. But nobody had connected the two. So I did. The plugin itself is about 500 lines across 6 files. The interesting part wasn't wiring up the payment — it was everything that could go wrong. The IPv6 hex normalization problem An ElizaOS agent takes URLs from conversation. That makes it an SSRF vector. A prompt injection could tell the agent to fetch https://169.254.169.254