A serious vulnerability in the Aptos blockchain, which has since been addressed, enabled researchers to achieve nearly a 90% success rate in breaching a fundamental security safeguard, with attack expenses amounting to only a few hundred dollars.
By Oliver Knight|Edited by Cheyenne Ligon, Nikhilesh De, Jamie CrawleyUpdated Jul 4, 2026, 8:16 p.m. Published Jul 4, 2026, 6:00 p.m. 6 min readMake preferred on ShareShare this articleCopy linkX (Twitter)LinkedInFacebookEmailMake preferred on (Boitumelo/Unsplash)SummaryShow- Researchers from Hexens, a cybersecurity firm, identified a flaw in the Aptos blockchain that, although patched, could have jeopardized up to $70 billion in digital assets, including stablecoins and cross-chain bridges.
- The team simulated the attack with a success rate exceeding 90% under real-world conditions, utilizing a $3,000 server to replicate about one-third of the validator network, with no insider access or special permissions needed.
- The vulnerability was reported through urgent security channels on February 25, and a fix was implemented within days to avert any potential loss of funds.
A server costing $3,000 sufficed for a blockchain security expert to mimic an attack route that could have endangered up to $70 billion in crypto infrastructure.
The discovery revolved around a weakness in Aptos, a layer-1 blockchain utilizing Move, the smart contract programming language developed from Facebook’s abandoned Diem project.
In late February, Hexens' researchers reported a significant vulnerability in the Aptos Move virtual machine, the environment responsible for executing smart contracts on the blockchain. They identified a "stale-cache bug" that resulted in a type-confusion vulnerability, a scenario where the software misinterprets one type of on-chain resource as another.
The Aptos team acted promptly to patch the flaw once it was identified, ensuring no funds were lost.
“Aptos Labs was alerted to a potential issue through our bug bounty program on February 25, which was already under internal review at that time,” an Aptos spokesperson told CoinDesk. “A fix was developed, tested, and deployed to the mainnet within hours of discovery. No users or funds were affected at any time.”
The spokesperson also challenged the practical exploitability of the flaw, stating to CoinDesk, “Our analysis concluded that the bug would have exceedingly low exploitability in real-world scenarios.”
Nevertheless, the findings from researchers highlight how narrowly the ecosystem avoided a potentially transformative incident.
The severity of this type of bug relates to how the Move language manages authority. In Move, protocol permissions, such as the ability to mint stablecoins, control bridges, or manage lending markets, are often stored directly as on-chain resources. If these resources are compromised, the repercussions extend beyond a single protocol to all that depend on them.
Hexens' researchers likened the vulnerability to a flaw on an Ethereum-like chain that would permit attacker-controlled code to overwrite storage belonging to other contracts, undermining the type-system assurances that Move was specifically designed to maintain.
Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept and confirmed the exploit's validity. "It operated as claimed, and the exploit was logical," he told CoinDesk. "It necessitated a few conditions being met, which evidently occurred on the mainnet."
Additionally, Grego AI, which verified Hexens' proof-of-concept, estimated that roughly $250 million in Aptos-native total value locked (TVL) was directly at risk based on the near-90% success rate, separate from potential cross-chain implications.
The $70 Billion Risk
The vulnerability, uncovered by Vahe Karapetyan, CTO and co-founder of Hexens, posed a much larger systemic risk across bridges, stablecoins, decentralized finance (DeFi) protocols, and centralized exchanges, potentially costing billions and triggering a crisis far beyond just Aptos.
And all it would have required was a few thousand dollars' worth of servers.
The total expenditure for setting up the infrastructure necessary to conduct this experiment was about $3,000 for a server that simulated conditions akin to the Aptos mainnet. However, a malicious actor could have executed the exploit for significantly less, as it did not necessitate validator access, insider knowledge, or privileged permissions.
The team executed the exploit path approximately 20 times in a simulated setting, achieving success 17 or 18 times. The few failed attempts would not have halted the network, providing the attacker additional opportunities to try again.
The simulation closely mirrored actual network conditions, employing a cluster of over 30 validator nodes, a stake distribution resembling the mainnet, organic transaction traffic, and intense execution contention. The Hexens team also conducted what they termed "non-armed calibration techniques": preliminary tests that evaluated mempool and block-construction conditions before initiating an armed attempt. The firm stated that these measures significantly minimized uncertainty associated with the exploit's probabilistic elements, enhancing the attack path's reliability in practice.
Using publicly available data at the time of reporting, Hexens estimated direct and first-order protocol exposure on Aptos, encompassing DeFi protocols, tokenized assets, stablecoin infrastructure, and liquid-staking systems, at low single-digit billions.
However, the broader risk could have been even greater, as compromises at the blockchain level rarely remain confined to just the affected chain.
Hexens assessed that the overall first-order systemic risk was around $70 billion—an enormous figure that includes value accessible through bridges, cross-chain messaging systems, stablecoin administration flows, and centralized exchanges.
Grego AI noted that the exploit could also have been leveraged to seize protocol capabilities, including those associated with LayerZero, Wormhole, and USDC's Cross-Chain Transfer Protocol (CCTP). "If malicious actors had access to this bug, they could have taken whatever total value locked they wanted," stated Justus Hanna, CEO of Grego AI.
This simulation underscores the industry's vulnerability to latent flaws within blockchain technology.
If an attacker had successfully discovered and exploited the bug, it could have easily surpassed the significant $1.5 billion stolen in a Bybit hack last year. Recently, in June, Zcash (ZEC) dropped 38% after developers disclosed a critical vulnerability that had been hidden in its privacy pool for four years, which could have enabled an attacker to create unlimited counterfeit tokens unnoticed. Prior to that, substantial bridge hacks and protocol exploits had drained liquidity pools and shaken confidence in the underlying infrastructure of the broader market.
It is essential to note that the $70 billion figure is an estimate based on the hypothetical minting of a significant amount of USDC stablecoin and utilizing Circle's Cross-Chain Transfer Protocol (CCTP) to transfer it across chains. In the event of such an action, it is likely that a company like Circle would halt USDC transfers, although this has been scrutinized recently as the stablecoin issuer stated it does not freeze assets without legal authorization. Therefore, while the entire $70 billion figure might not be realized if all parties intervened, it would still have significantly impacted the industry.
This proof-of-concept testing revealed access to the types of authority that govern cross-chain systems: bridge capabilities, signer roles, master-minter functions, and protocol accounting states. Researchers validated a takeover of a master-minter-style role and demonstrated a legitimate administrative path, stopping short of minting tokens but illustrating why such roles must be included in threat models. The primary vector into the broader surface area typically runs through centralized exchanges, specifically the Aptos bridge pathways that link on-chain activities to exchange deposit credits.
Response and Disclosure
The same day Hexens submitted its report, a "SEAL911" emergency task force was established to coordinate the response. SEAL911 is a volunteer security collective that has emerged as a crucial first-responder network across the crypto landscape.
The vendor was alerted just hours after the task force's initiation, and four major downstream projects were notified that afternoon, each receiving locally runnable proof-of-concept materials and analysis of relevant authority patterns.
A public pull request reflecting the patch was made available on February 27. Aptos indicated that a private-validator patch had been implemented prior to the public commit.
Hexens has stated that it has not received any technical rebuttals or evidence-based challenges disputing the demonstrated impact classes. The firm claims that the main concern communicated back to the researchers revolved around the probabilistic aspects of the exploit, which the team's calibration work aimed to address.
While no funds were compromised, the simulation illustrated that in a blockchain-level breach, rate limits, issuer freezes, bridge controls, exchange monitoring, and validator patches are not merely secondary safeguards. They can be the difference between a contained vulnerability and a widespread market exploit.
HackExclusiveLatest Crypto News- 1Tokenization's next use case is personalized portfolios, NYLIM executive says1 hour ago
- 2Bitcoin jumps above $63,000, reversing end-June losses2 hours ago
- 3Bitcoin experts split over plan to freeze Satoshi's 1.1 million bitcoin as quantum threat grows3 hours ago
- 4Why bitcoin's disconnect from record-high stocks won't last5 hours ago
- 5Trump's crypto token buyers are down $3.8 billion, blockchain data shows5 hours ago
- 6Europe led on crypto regulation. Now implementation must match ambition7 hours ago
- 7EU moves to block retail investors from explosive boom of multibillion-dollar prediction markets7 hours ago
- 8UK's bold new crypto rules promise to unlock global trading, but huge compliance hurdles still threaten the rollout9 hours ago
- 9XRP climbs 8% as record holder losses signal better risk-reward for buyers13 hours ago
- 10Bitcoin’s next parabolic run may need $1 trillion in fresh capital14 hours ago
Building the Zcash Machine: Tachyon and Quantum Readiness
Building the Zcash Machine: Tachyon and Quantum Readiness
Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold.
By CoinDesk ResearchJun 30, 2026Commissioned byGenZcashZcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold.
Why it matters:
Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold.
View Full ReportMore From Tech