A critical vulnerability discovered in the Aptos blockchain could have exposed up to $70 billion in crypto infrastructure to potential attacks, according to blockchain security firm Hexens. The flaw, found in the Aptos Move Virtual Machine (VM), was reportedly exploitable using infrastructure costing only around $3,000, highlighting the importance of blockchain security and smart contract protection.
Hexens identified the issue in late February and immediately reported it through Aptos Labs' bug bounty program. The vulnerability, described as a "stale-cache bug" leading to type confusion, could have allowed attackers to manipulate on-chain resources that control sensitive protocol permissions, including stablecoin minting, cross-chain bridges, and decentralized finance (DeFi) platforms.
Aptos Labs confirmed that the flaw was patched within hours of disclosure and emphasized that no user funds were affected. The company also stated that its internal analysis found the exploit to have "extremely low exploitability" under real-world conditions.
However, independent experts reviewed Hexens' proof of concept and agreed the exploit was technically valid. Researchers successfully simulated the attack in a test environment that closely mirrored Aptos mainnet conditions, achieving a success rate of roughly 90%.
Hexens estimated that billions of dollars in Aptos-based assets were directly exposed, while broader systemic risks—including bridges, stablecoins, centralized exchanges, and cross-chain messaging protocols—could have reached approximately $70 billion. Grego AI, which independently verified the findings, warned that attackers could have gained control over critical protocol capabilities tied to platforms such as LayerZero, Wormhole, and Circle's Cross-Chain Transfer Protocol (CCTP).
The researchers stressed that the $70 billion figure represents a theoretical maximum, noting that emergency measures such as stablecoin freezes and exchange safeguards would likely have limited the final impact. Even so, they argued the incident demonstrates how blockchain-level vulnerabilities can threaten the wider crypto ecosystem.
Following the disclosure, Aptos coordinated with the SEAL911 emergency security group and downstream projects to deploy patches before making the fix public. The incident serves as a reminder that rapid vulnerability disclosure, coordinated response, and strong security practices remain essential to protecting blockchain networks and digital assets.
Comment 0