Key facts
- Ethical hackers discovered a critical vulnerability in the Aptos blockchain's Move virtual machine.
- The flaw, a 'stale-cache bug' leading to type confusion, could have compromised onchain resources.
- A simulated attack using a $3,000 server achieved a high success rate.
- The potential systemic risk was estimated at $70 billion, affecting stablecoins and cross-chain bridges.
- Aptos Labs patched the vulnerability within hours of being notified on February 25.
- No funds were lost, and Aptos stated the bug had low exploitability in real-world conditions.
Ethical hackers from the security firm Hexens identified a critical vulnerability in the Aptos blockchain's Move virtual machine, a flaw that could have potentially put up to $70 billion in digital assets at risk. The vulnerability, described as a 'stale-cache bug' leading to type confusion, was discovered using a server setup costing approximately $3,000 and simulated an attack with a success rate exceeding 90% under real network conditions. This type of bug could have allowed an attacker to compromise sensitive onchain resources, impacting stablecoins, cross-chain bridges, and DeFi protocols.
Aptos Labs was notified of the issue on February 25 and responded by deploying a patch to the mainnet within hours. A spokesperson for Aptos stated that no users or funds were impacted and disputed the practical exploitability of the bug, suggesting it would have had extremely low exploitability in real-world conditions. However, researchers like Vahe Karapetyan, CTO and co-founder of Hexens, and Mudit Gupta, CTO at Polygon, who reviewed the proof-of-concept, indicated the exploit was feasible.
Grego AI independently verified the proof-of-concept and calculated that approximately $250 million in Aptos-native total value locked (TVL) was directly at risk. The broader systemic risk assessment of $70 billion included value accessible through bridges, cross-chain messaging systems, and centralized exchanges. The exploit could have potentially allowed attackers to steal protocol capabilities, such as those held by LayerZero and Wormhole, and mint unlimited stablecoins like USDC, though companies like Circle might have intervened by halting transfers.
