HomeEverything
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
← All Stories

Ethical hackers found Aptos blockchain flaw risking $70B in crypto

Created at 4 Jul · 8:25 PM1 source↑ Market-relevant
IN SHORT

Ethical hackers from Hexens discovered a critical vulnerability in the Aptos blockchain's Move virtual machine. A $3,000 server setup allowed them to simulate an attack that could have put up to $70 billion in digital assets at risk, including stablecoins and cross-chain bridges. The vulnerability was patched within days.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

$3,000server cost for attack simulation
$70 billionpotential crypto risk exposure
February 25date vulnerability was reported
over 90%simulated attack success rate
$250 milliondirect Aptos-native TVL at risk

Who's Involved

Hexens
blockchain security firm that discovered the vulnerability
Aptos Labs
blockchain project that patched the vulnerability
Vahe Karapetyan
CTO and co-founder of Hexens
Mudit Gupta
CTO at Polygon, reviewed proof-of-concept
Grego AI
verified Hexens' proof-of-concept and calculated direct risk
Justus Hanna
CEO at Grego AI
Ethical hackers found Aptos blockchain flaw risking $70B in crypto

↳ Why This Matters

The incident highlights the ongoing vulnerability of blockchain infrastructure to sophisticated exploits, even with significant security measures in place, and underscores the potential for catastrophic financial losses in the crypto ecosystem.

Key facts

  • Ethical hackers discovered a critical vulnerability in the Aptos blockchain's Move virtual machine.
  • The flaw, a 'stale-cache bug' leading to type confusion, could have compromised onchain resources.
  • A simulated attack using a $3,000 server achieved a high success rate.
  • The potential systemic risk was estimated at $70 billion, affecting stablecoins and cross-chain bridges.
  • Aptos Labs patched the vulnerability within hours of being notified on February 25.
  • No funds were lost, and Aptos stated the bug had low exploitability in real-world conditions.

Ethical hackers from the security firm Hexens identified a critical vulnerability in the Aptos blockchain's Move virtual machine, a flaw that could have potentially put up to $70 billion in digital assets at risk. The vulnerability, described as a 'stale-cache bug' leading to type confusion, was discovered using a server setup costing approximately $3,000 and simulated an attack with a success rate exceeding 90% under real network conditions. This type of bug could have allowed an attacker to compromise sensitive onchain resources, impacting stablecoins, cross-chain bridges, and DeFi protocols.

Aptos Labs was notified of the issue on February 25 and responded by deploying a patch to the mainnet within hours. A spokesperson for Aptos stated that no users or funds were impacted and disputed the practical exploitability of the bug, suggesting it would have had extremely low exploitability in real-world conditions. However, researchers like Vahe Karapetyan, CTO and co-founder of Hexens, and Mudit Gupta, CTO at Polygon, who reviewed the proof-of-concept, indicated the exploit was feasible.

Grego AI independently verified the proof-of-concept and calculated that approximately $250 million in Aptos-native total value locked (TVL) was directly at risk. The broader systemic risk assessment of $70 billion included value accessible through bridges, cross-chain messaging systems, and centralized exchanges. The exploit could have potentially allowed attackers to steal protocol capabilities, such as those held by LayerZero and Wormhole, and mint unlimited stablecoins like USDC, though companies like Circle might have intervened by halting transfers.

Frequently asked questions

Researchers discovered a 'stale-cache bug' in the Aptos Move virtual machine, which is a type-confusion vulnerability that could trick software into treating one type of onchain resource as another.

The potential systemic risk was estimated at up to $70 billion, though direct exposure on Aptos was assessed in the low single-digit billions.

No, the vulnerability was patched within hours of discovery, and no users or funds were impacted.

Ethical hackers from Hexens used a $3,000 server setup to simulate an attack, achieving a success rate of over 90% under conditions designed to approximate the real Aptos network.

What Happens Next

01Aptos Labs continues to monitor its network for any residual security threats.
02Hexens and other security firms will likely continue to audit blockchain protocols for similar vulnerabilities.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Researchers at Hexens identified a 'stale-cache bug' in the Aptos Move virtual machine.
The vulnerability could have allowed attackers to treat one onchain resource as another.
Hexens reported the critical vulnerability through emergency security channels on February 25.
Aptos Labs deployed a fix to mainnet within hours of the discovery.
No users or funds were impacted, and Aptos disputed the bug's practical exploitability.

Sources

T1
How ethical hackers with just a $3,000 server found a flaw that could've put $70 billion in crypto at riskCoinDesk

Related Stories

XRP Ledger Engineer Warns Quantum Threat To Hit Crypto Sooner Than Feared
4 Jul · 2:10 PM
Gnosis Pay Compensates Users Fully After $1.5M Crypto Hack
3 Jul · 9:10 PM
Trump Memecoin Investors Lost $4.5 Billion as Trump Earned $636 Million
4 Jul · 9:05 AM
UK crypto rules aim for global liquidity but face compliance hurdles
4 Jul · 12:05 PM
ChangeNOW Details Trading Engine for Fast Crypto Swaps
4 Jul · 2:05 PM