Blockchain security firm Hexens disclosed a critical type-confusion vulnerability in the Aptos Move virtual machine that, if exploited, could have exposed roughly $70 billion in systemic crypto risk, spanning bridges, stablecoin administration, cross-chain messaging, and centralized exchange deposit rails. The flaw stemmed from a stale-cache bug in the execution environment that processes Move smart contracts on Aptos, the layer-1 chain whose Move language was originally developed inside Facebook's now-shelved Diem project.
Researchers simulated the attack path about 20 times in a test environment built to approximate Aptos mainnet conditions, using a cluster of more than 30 validator nodes, organic transaction traffic, and a server setup costing approximately $3,000. They succeeded 17 to 18 times. The two or three failed runs did not stop the network; the attacker could have simply waited for another window. Polygon CTO Mudit Gupta, who independently reviewed the proof-of-concept materials, said the exploit held up: "It ran as claimed, and the exploit made sense."
Why it matters
The sensitivity of this class of bug comes down to how Move handles authority. Protocol permissions, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. Compromise those resources and the damage does not stop at one protocol; it extends to everything that trusts them. Grego AI, which independently verified the proof-of-concept, calculated that approximately $250 million in Aptos-native TVL was directly at risk, and noted the exploit could also have been used to steal protocol capabilities including those held by LayerZero, Wormhole, and USDC's Cross-Chain Transfer Protocol.
Aptos Labs acknowledged the report and said a fix was developed, tested, and deployed to mainnet within hours of discovery on February 25, with no users or funds impacted. The team also disputed the practical exploitability of the bug, telling CoinDesk its analysis determined "the bug would have extremely low exploitability in real world conditions." Hexens says it has not received a technical rebuttal or evidence-based argument disputing the demonstrated impact classes.
Market impact
The disclosure lands at a moment when several high-profile bugs have already reminded the industry how thin the margin can be.
Frequently asked questions
-
What was the Aptos Move VM vulnerability?
A stale-cache bug leading to a type-confusion vulnerability in the Aptos Move virtual machine, the execution environment that processes Move smart contracts on the chain. It was reported through Aptos's bug bounty program on Feb. 25 and patched within hours.
-
How much could the bug have put at risk?
Hexens assessed roughly $70B in broader first-order systemic risk across bridges, stablecoin administration, cross-chain messaging, and centralized exchange deposit rails. Grego AI separately calculated approximately $250M in Aptos-native TVL as directly at risk.
-
How did researchers simulate the attack?
Hexens ran the exploit path about 20 times in a simulated environment using a cluster of more than 30 validator nodes, organic transaction traffic, and a server setup that cost approximately $3,000. They succeeded 17 to 18 times; the two or three failed runs did not halt the network.
-
Did Aptos confirm the bug was exploited or funds lost?
No. Aptos Labs said the issue was reported through its bug bounty program on Feb. 25, a fix was developed, tested, and deployed to mainnet within hours, and no users or funds were impacted. The team disputed the practical exploitability of the bug.
-
Why is this class of bug so sensitive for Move-based chains?
Protocol permissions in Move, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. Compromise those resources and the damage extends to every protocol that trusts them, including LayerZero, Wormhole, and USDC's CCTP.
CoinDesk