Loading prices...
All news
Ethical Hackers Found a $70B Flaw in Aptos

Ethical Hackers Found a $70B Flaw in Aptos

Cybersecurity firm Hexens discovered a critical bug in the Move virtual machine powering the Aptos blockchain — a so-called stale-cache bug leading to a type-confusion vulnerability that let an attacker bypass type guarantees and trick the network into treating one resource type as another, CoinDesk reports. The flaw was found by Vahe Karapetyan, Hexens's CTO and co-founder.

To test how dangerous the bug actually was, researchers spun up infrastructure for just $3,000 — a cluster of more than 30 validator nodes with a stake distribution close to mainnet and organic transaction traffic. The attack worked with a 90% success rate, roughly 17-18 successes out of 20 attempts.

Direct risk on Aptos itself was estimated at several billion dollars, but according to Justus Hanna, CEO of Grego AI, a bad actor could have drained however much locked value they wanted — factoring in stablecoins (chiefly USDC via CCTP), the LayerZero and Wormhole bridges, DeFi protocols and centralized exchanges, the total value at risk reached $70 billion.

Hexens reported the flaw through its bug bounty program on February 25, 2026, an emergency "SEAL911" war room opened the next day, and a public patch shipped on February 27. Aptos Labs said: "The fix was developed, tested, and deployed to mainnet within hours. No users or funds were impacted."

In plain terms: the full public write-up only surfaced now, nearly five months after the quiet fix — standard practice for critical vulnerabilities, so attackers aren't handed a working exploit before the patch has fully propagated across the network.

Nothing here should be taken as financial advice — just information to consider.

Mike Robinson

Author

Mike Robinson

News feed editor

I'm constantly writing about crypto, Bitcoin, and altcoins. I cover a variety of topics related to the virtual currency market.

Comments (0)

No comments yet — be the first!