A $3,000 server revealed a critical Aptos blockchain vulnerability, showing a 90% success rate to compromise $70B in digital assets.
A critical flaw in the Aptos blockchain could have exposed up to $70 billion in digital assets to systemic risk, security firm Hexens reported.
Ethical hackers demonstrated a near-90% success rate in exploiting the flaw in a simulated environment, Hexens stated.
The simulated attack required approximately $3,000 worth of server infrastructure, according to Hexens.
Aptos Labs patched the vulnerability within hours of discovery and disputed its practical exploitability in real-world conditions, an Aptos spokesperson said.
A critical vulnerability in the Aptos blockchain, since patched, could have put as much as $70 billion in crypto infrastructure at systemic risk, security firm Hexens reported. Researchers at blockchain security firm Hexens discovered the flaw in late February and reported it to the Aptos development team, Hexens stated. The vulnerability, described as a "stale-cache bug" leading to a type-confusion condition, was found within the Aptos Move virtual machine, Hexens explained. An Aptos spokesperson told CoinDesk that Aptos Labs was notified on February 25 and deployed a fix to mainnet within hours. Hexens CTO and co-founder Vahe Karapetyan identified the vulnerability, which allowed researchers to simulate an attack path that could compromise on-chain resources controlling protocol permissions, Hexens reported. This class of bug, if exploited, could extend damage beyond a single protocol to everything that trusts it, Hexens suggested. Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and confirmed the exploit's validity, telling CoinDesk that it "ran as claimed."
Background on Aptos and Move Security
Aptos is a layer-1 blockchain built on Move, a smart contract language originally developed for Facebook's shelved Diem project, according to industry descriptions. Move was designed with strong type-system guarantees to prevent common vulnerabilities by strictly defining how resources are handled and accessed. Hexens' researchers noted the discovered bug was comparable to a flaw on an Ethereum-style chain that would permit attacker-controlled code to write into other contracts' storage, bypassing Move's inherent security design. The simulation of the exploit path was conducted in an environment closely approximating Aptos mainnet conditions, Hexens said. This included a cluster of over 30 validator nodes, a mainnet-shaped stake distribution, organic transaction traffic, and heavy execution contention, according to Hexens. The team also employed "non-armed calibration techniques" to measure mempool and block-construction conditions, which Hexens claimed reduced uncertainty from probabilistic elements, making the attack path more reliable.
Hexens researchers achieved a success rate of 17 or 18 out of 20 attempts in simulating the exploit, demonstrating a near-90% probability of success.
Systemic Risk Across Interconnected Ecosystems
Hexens initially assessed direct and first-order protocol exposure on Aptos, covering DeFi protocols, tokenized assets, stablecoin infrastructure, and liquid-staking systems, at low single-digit billions based on public data at the time of reporting. However, the firm determined the broader first-order systemic risk could be approximately $70 billion. This larger figure accounts for value accessible through bridges, cross-chain messaging systems, stablecoin administration flows, and centralized exchanges, Hexens detailed. Grego AI, which independently verified Hexens' proof-of-concept, calculated that approximately $250 million in Aptos-native Total Value Locked (TVL) was directly at risk due to the exploit's high success rate, independent of broader cross-chain exposure. The firm also noted that the exploit could be used to steal protocol capabilities, including those held by LayerZero, Wormhole, and USDC's Cross-Chain Transfer Protocol (CCTP), Grego AI stated. Justus Hanna, CEO at Grego AI, told CoinDesk that malicious actors "would have been able to take all [the] TVL that they want[ed]" if they had access to the bug. The $70 billion estimate reflects a scenario where a large amount of USDC stablecoin could be minted and transferred across chains using Circle's CCTP, Hexens outlined. While such a large-scale exploit might trigger intervention from entities like Circle to halt transfers, the potential for industry-wide disruption would remain significant, Hexens noted. This highlights the inherent vulnerabilities in interconnected blockchain systems, where a flaw in one layer can cascade into broader systemic risk, impacting multiple protocols and financial instruments across the wider crypto ecosystem.
The total cost to simulate the critical Aptos exploit was approximately $3,000 for server infrastructure, Hexens estimated.
Hexens’ revelation of a critical "stale-cache" bug within the Aptos Move virtual machine punctures the tech-stack exceptionalism that has long insulated Move-based blockchains. For years, Aptos and Sui have championed Move’s strict type-system as an unhackable fortress against the reentrancy and storage bugs plaguing Ethereum. This disclosure proves that even perfectly audited smart contracts mean nothing if the underlying execution layer itself can be tricked into a type-confusion state. By weaponizing a multi-block synchronization attack for just $3,000, hackers demonstrated they could bypass Move's core memory safeguards to manipulate cross-chain protocols like Circle’s CCTP and Wormhole, triggering a staggering $70 billion systemic risk canvas. While Aptos Labs’ rapid mainnet patch prevented disaster, the exploit’s 90% simulation success rate is a massive wake-up call for DeFi founders. Security cannot be outsourced to a programming language; as cross-chain infrastructure becomes deeply tightly wound, execution-layer bugs remain the industry’s ultimate single point of failure.
Industry Response and Persistent Challenges
Following Hexens' report, a "SEAL911" emergency warroom was opened to coordinate the response, indicating the perceived severity of the vulnerability, according to Hexens. SEAL911 is a volunteer security group often acting as a first-responder layer across the crypto ecosystem. The Aptos team and four major downstream projects were alerted, receiving proof-of-concept materials and analysis, Hexens stated. A public pull request reflecting the patch became available on February 27, though Aptos stated a private-validator patch had been deployed earlier, Hexens reported. An Aptos spokesperson, while confirming the patch, disputed the practical exploitability of the bug in real-world conditions, telling CoinDesk that their analysis "determined the bug would have extremely low exploitability." Hexens, however, stated it has not received a technical rebuttal or evidence-based argument disputing the demonstrated impact classes. The firm claimed that the main concern conveyed back to the researchers involved the probabilistic aspects of the exploit, precisely what the team's calibration work was designed to address. This incident underscores the persistent challenge of securing emergent blockchain architectures, particularly those built on novel programming languages like Move. The ability of ethical hackers to identify and simulate such a far-reaching vulnerability with minimal resources highlights the critical role of independent security audits and bug bounty programs in identifying risks that could otherwise go unnoticed. While no funds were lost in this instance, the simulation served as a stark reminder that in a blockchain-level compromise, rate limits, issuer freezes, bridge controls, and exchange monitoring are not merely secondary safeguards; they can become the crucial boundary between a contained bug and a market-wide exploit, Hexens concluded. The continuous evolution of attack vectors demands a proactive and multi-layered security approach, bridging technical diligence with robust ecosystem-wide response mechanisms to mitigate systemic threats.
Frequently asked questions
What was the critical flaw found in the Aptos blockchain?
Ethical hackers from Hexens discovered a "stale-cache bug" leading to a type-confusion vulnerability in the Aptos Move virtual machine. This flaw could trick software into misinterpreting on-chain resources, potentially giving attackers control over protocol permissions.
How much crypto was potentially at risk due to the Aptos flaw?
Researchers estimated that the flaw could have put approximately $70 billion in crypto at systemic risk. This included value across bridges, stablecoins, DeFi protocols, and centralized exchanges.
How much did it cost ethical hackers to simulate the Aptos attack?
The ethical hackers from Hexens used a $3,000 server to simulate the attack path. This infrastructure allowed them to approximate Aptos mainnet conditions and demonstrate a near-90% success rate in exploiting the vulnerability.
Was any money lost due to the Aptos blockchain vulnerability?
No, no funds were lost. The Aptos team patched the vulnerability within hours of discovery after being notified by Hexens through their bug bounty program on February 25.
What is the significance of the Move language in this vulnerability?
The Move language, used by Aptos, stores protocol permissions as on-chain resources. The vulnerability compromised these resources, meaning damage could extend to everything that trusted them, bypassing Move's type-system guarantees.
What other major crypto exploits does this Aptos incident compare to?
The potential $70 billion risk could have dwarfed the $1.5 billion Bybit hack. It highlights similar systemic vulnerabilities seen in incidents like the Zcash privacy bug or various nine-figure bridge hacks.








