A pair of ethical hackers just demonstrated that a $3,000 server setup was all it took to potentially compromise one of crypto’s most well-funded Layer-1 blockchains. The vulnerability they found in Aptos’ Move virtual machine carried an estimated systemic risk of $70 billion, spanning stablecoins, DeFi protocols, cross-chain bridges, and centralized exchange pathways.
A $3,000 attack vector with 90% odds
Blockchain security firm Hexens discovered what they call a “stale-cache bug” in Aptos’ Move VM on February 25, 2026. A flaw in the virtual machine that executes smart contracts on Aptos allowed for a type-confusion vulnerability, essentially tricking the system into misidentifying data types. This kind of confusion could let an attacker hijack critical on-chain resources, including minting permissions and bridge control systems.
When Hexens simulated the attack, the results were sobering. Using a server setup costing roughly $3,000, they achieved a success rate nearing 90%, hitting 17-18 out of 20 simulated attempts.
Polygon CTO Mudit Gupta independently validated the vulnerability’s proof-of-concept, lending additional credibility to Hexens’ findings.
The $70 billion number, and why Aptos pushes back
Hexens pegged the systemic risk at $70 billion. That figure doesn’t represent Aptos’ direct total value locked, which security assessment firm Grego AI placed at approximately $250 million. Instead, it accounts for the cascading damage that could ripple through the broader ecosystem: stablecoins that depend on Aptos infrastructure, DeFi protocols built on top of it, cross-chain bridges connecting it to other networks, and centralized exchange pathways that route through it.
Aptos Labs pushed back on the severity assessment, contending that the bug had low exploitability in practical scenarios on the live mainnet.
The timeline and the fix
Aptos Labs patched the vulnerability on its mainnet just two days after discovery, on February 27. No funds were lost. The disclosure was coordinated through SEAL911 emergency channels, and four downstream projects were notified on the same day the vulnerability was identified.
The public disclosure came on July 4, 2026, following responsible disclosure protocols. Aptos maintains a bug bounty program offering up to $1 million for serious vulnerabilities.
What this means for investors
The Move VM, originally developed at Meta’s Diem project, was designed with safety as a core principle. Aptos competes with Sui, another Move-based Layer-1, as well as Solana and Ethereum’s scaling solutions. A $70 billion systemic risk estimate, even if contested, enters the calculus for DeFi teams choosing where to deploy and weighing the security track record of their base layer.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

1 hour ago
19









English (US) ·