Close call! Cybersecurity firm discovers Aptos vulnerability: $70 billion in cryptocurrency at systemic risk.

Cybersecurity firm Hexens' white-hat hackers have identified a type confusion vulnerability in Aptos blockchain's Move virtual machine, with an attack success rate approaching 90%. Hexens estimates that if maliciously exploited, the systemic risks involving cross-chain bridges, stablecoin issuances, and exchanges could reach $70 billion.

(Previous recap: Grayscale Chief Legal Officer Craig Salm says Zcash vulnerability unlikely to be exploited before fix) (Background: White-hat hackers reveal Cosmos hidden 0-day vulnerability! Node restart could cause total deadlock and paralysis, but official report treated as spam)

Table of Contents

Toggle

  • $3,000 server, 18 successful simulations out of 20
  • SEAL911 responds overnight, patches within 48 hours
  • "Nearly unexploitable"? Third-party verification contradicts official statement
  • From $250 million to $70 billion: Magnifying risk estimation layers

A server costing less than $3,000 to set up, plus a white-hat hacker team, is enough to expose $70 billion in crypto assets to risk? That's the conclusion from cybersecurity firm Hexens' simulated attack on the Aptos blockchain. Researchers recreated the attack under conditions close to the mainnet, achieving a success rate approaching 90%.

Hexens CTO Vahe Karapetyan discovered the vulnerability. This issue, hidden within Aptos' Move virtual machine (the core environment for executing smart contracts), is referred to by Hexens as a "stale-cache bug," leading to "type confusion."

Simply put, the software can be misled into misidentifying one type of on-chain resource as another. Analogous to the Ethereum architecture, this allows attacker-controlled code to directly write into the storage space of other contracts, completely bypassing the type safety guarantees that the Move language was designed to maintain.

$3,000 server, 18 successful simulations out of 20

Karapetyan's team built a simulation environment close to mainnet scale to verify the vulnerability's feasibility: over 30 validator nodes, staking distribution close to mainnet reality, along with real transaction traffic and high-intensity execution competition. The cost to set up this entire environment was only about $3,000; launching a real attack would cost even less, and it does not require validator privileges, insider knowledge, or any privileged access.

The team tested approximately 20 times in the simulation environment, succeeding 17 to 18 times, translating to a success rate near 90%. Even the occasional 2 to 3 failures would not cause the network to halt, and attackers could patiently wait for the next window to strike again.

SEAL911 responds overnight, patches within 48 hours

Hexens officially reported the vulnerability through the Aptos bug bounty program on February 25, 2026.

Aptos stated that upon receiving the report, the team was already internally triaging the issue. On the same day, the crypto industry volunteer emergency response team "SEAL911" immediately set up a war room. This team has become a critical first-line defense layer in the crypto ecosystem when facing major vulnerabilities.

Within hours, Aptos notified affected vendors, and that afternoon further informed four major downstream projects, attaching a proof-of-concept (PoC) that could be run locally. By February 27, a public patch pull request was online; Aptos emphasized that before the public commit, the team had already deployed the patch to private validators.

An Aptos official told CoinDesk: "When we received the report through the bug bounty on February 25, we were already triaging internally. The patch was developed, tested, and deployed to mainnet within hours of discovery, and no users or funds were affected throughout the entire process."

"Nearly unexploitable"? Third-party verification contradicts official statement

However, Aptos' public stance significantly differs from Hexens' assessment. Aptos told CoinDesk: "Our analysis indicates that this vulnerability is extremely difficult to exploit under real-world conditions." Hexens responded that they have yet to receive any evidence-based technical rebuttal; the only concern raised by the official side is the probabilistic nature of the vulnerability itself, which is precisely what the "unarmed calibration" technique aims to solve.

But third-party verification results seem to lean more towards Hexens. Polygon CTO Mudit Gupta independently reviewed the PoC and said: "It executes as claimed, the vulnerability makes sense... A few conditions need to be met, and it appears they indeed achieved that on mainnet."

Another independent firm verifying Hexens' PoC, Grego AI, pointed out that the vulnerability is sufficient to steal control over multiple protocols, including LayerZero, Wormhole, and the USDC cross-chain protocol CCTP. Grego AI CEO Justus Hanna stated bluntly: "If a malicious actor gets hold of this vulnerability, they could take any total value locked (TVL) they want."

From $250 million to $70 billion: Magnifying risk estimation layers

Hexens estimates that direct on-chain exposure on Aptos, involving DeFi, tokenized assets, stablecoin infrastructure, and liquid staking protocols, is around "several billion dollars"; Grego AI calculates, based on the nearly 90% attack success rate, that approximately $250 million of Aptos' native TVL is directly threatened, not including cross-chain exposure.

Zooming out to broader systemic risk, Hexens gives a figure of $70 billion, covering cross-chain bridges, cross-chain messaging systems, stablecoin issuance management processes, and asset value accessible by centralized exchanges. This staggering figure assumes an attacker massively mints USDC and then moves assets to other chains via Circle's Cross-Chain Transfer Protocol (CCTP).

However, Circle recently stated that it will not freeze assets without legal authorization. In other words, if parties intervene in time, the probability of the full $70 billion being realized is low, but the number still illustrates the scale of the problem.

Notably, in the Move language, key protocol permissions such as minting stablecoins, controlling cross-chain bridges, and managing lending markets are often stored as "on-chain resources." Once such roles are compromised, the damage is not limited to a single protocol but spreads along the trust chain to all dependent systems.

During practical testing, Hexens' team even temporarily took over a role similar to "master minter" and operated along legitimate management paths. Although they ultimately stopped short of actual minting, it was enough to prove that such roles must be included in a complete threat model. Researchers believe that the main pathway to broader exposure is actually centralized exchanges, especially the Aptos bridging paths connecting on-chain activities with exchange deposit bookkeeping.

APT-0.95%
ZEC-0.46%
ATOM-2.08%
ETH0.35%
ZRO2.17%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 1
  • Repost
  • Share
Comment
Add a comment
Add a comment
GateUser-12f69f5b
· 4h ago
apt strength👍!!!
View OriginalReply0
  • Pinned