All Crypto Blogs

How ethical hackers with just a $3,000 server found a flaw that could've put $70 billion in crypto at risk

coindesk.com · Jul 4, 2026 at 18:00

How ethical hackers with just a $3,000 server found a flaw that could've put $70 billion in crypto at risk
coindesk.com Jul 4, 2026

A $3,000 server was enough for a blockchain security researcher to simulate an attack path they say could have put as much as $70 billion in crypto infrastructure at risk.

At the center of the disclosure was a flaw in Aptos, a layer-1 blockchain built on Move, the smart contract language used by Aptos and Sui, that stems from Facebook’s shelved Diem project.

In late February, researchers at the blockchain security firm Hexens reported a critical vulnerability in the Aptos Move virtual machine, the execution environment that processes smart contracts on the chain, to the project’s development team. Hexens identified what it described as a "stale-cache bug" leading to a type-confusion vulnerability, a condition in which software can be tricked into treating one type of onchain resource as another.The

Aptos team did patch the vulnerability when it was flagged, and no funds were lost.

“Aptos Labs was notified of a potential issue through our bug bounty program on February 25 that was already being triaged internally at the time," an Aptos spokesperson told CoinDesk. "A fix was developed, tested, and deployed to mainnet within hours of discovery. No users or funds were impacted at any point."

The Aptos spokesperson also disputed the practical exploitability of the bug to CoinDesk. "Our analysis determined the bug would have extremely low exploitability in real world conditions."

However, the details of what researchers found offer a sobering look at how close the ecosystem came to a potentially industry-altering event.

The sensitivity of this class of bug comes down to how the Move language handles authority. Protocol permissions in Move, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. If those resources are compromised, the damage does not stop at one protocol. It extends to everything that trusts them.

Hexens' researchers offered a practical analogy to the bug: it is roughly comparable to a bug on an Ethereum-style chain that would allow attacker-controlled code to write into storage belonging to other contracts, bypassing the type-system guarantees that Move was specifically designed to uphold.

Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and said the exploit held up. "It ran as claimed, and the exploit made sense," he told CoinDesk. "It required a few conditions to be met, which it seems like they did on the mainnet."

Meanwhile, Grego AI, which independently verified Hexens' proof-of-concept, calculated that approximately $250 million in Aptos-native TVL was directly at risk based on the near-90% success rate, separate from broader cross-chain exposure.

The vulnerability, discovered by Vahe Karapetyan, CTO and co-founder of Hexens, could, if left unchecked, have exposed a far larger systemic risk surface across bridges, stablecoins, DeFi protocols and centralized exchanges, costing billions and creating a crisis far beyond Aptos itself.

Source

This article is syndicated for educational reading. For the latest updates, visit the original publisher.

Read on coindesk.com

Recently Used