Aptos Network Vulnerability Exposed $70 Billion to $3,000 Attack
- The flaw allowed control over roles that authorize the issuance of stablecoins like USDC.
- Researchers found that between 17 and 18 out of every 20 attack attempts were successful.
A critical flaw in the Aptos network was corrected last February, after the security firm Hexens demonstrated that this vulnerability could expose up to $70 billion in funds within the Aptos ecosystem to an attack costing only $3,000, the amount researchers mentioned for renting a server with the power of a desktop computer. The fix was applied before the flaw could be exploited, so no users lost money.
Although the discovery and its correction occurred in February, the complete technical details and proof of concept (PoC) from Hexens were only made public this week when Hexens and the Aptos team released them.
Hexens stated that in every 20 attempts to simulate the attack, between 17 and 18 ended successfully in a test environment with over 30 nodes (the computers that verify and confirm operations within the network). The Aptos team confirmed on July 4 through a media outlet that the discovery was reported on February 25 via a bug bounty program, and the correction was developed, tested, and deployed on the main network afterward.
The error originated in the Move virtual machine (MoveVM), the program that executes the code of smart contracts within Aptos to carry out network operations, designed under the Move programming language. This program, in turn, organizes the data of each contract into structures, the way MoveVM stores, for example, the balance of an account or the administrative permissions of a protocol.
The system keeps an identification number for each of these structures in temporary memory, to avoid repeating the same process in each operation. The problem arose when the system emptied part of that memory to free up space, but not all of it: the number identifying a structure could mistakenly remain associated with the data of another completely different one. This is known as type confusion, an error in which the program ends up treating the information of one account as if it belonged to another.
With this error, as described by Hexens in their technical report published on July 6, an attacker could take over master administrator roles, the function that authorizes the issuance of a stablecoin, or signing capabilities that control the handling of funds within a contract. Researchers claimed to have taken control of a master administrator role and reached the step prior to authorizing an issuance, without executing it.
The Hexens team also noted that the flaw reached the routes connecting Aptos with bridges between networks, such as those operated by Wormhole and LayerZero, and with the protocol used by Circle to move its stablecoin USDC between different networks, known by its English acronym CCTP (Cross-Chain Transfer Protocol).
According to Hexens, an attacker could also force a complete emptying of those temporary memories (caches) after an attempt, whether successful or failed, to leave no trace of the manipulation. This partly explains why the firm insists that failed attempts did not stop the network or expose the ongoing attack.
Additionally, Hexens researchers compared the problem to an equivalent scenario in an Ethereum-based network, where code under the control of an attacker could write directly over the storage space of another contract, bypassing the guarantees of the type system that Move was specifically designed to uphold.
Hexens reported the flaw following the practice of responsible disclosure, meaning they notified Aptos privately before publishing any details publicly. An emergency room coordinated by SEAL911, a voluntary response network that various projects in the sector use to coordinate reactions to serious security incidents, was also activated.
The Aptos team, for its part, rated the practical exploitability of the flaw as "extremely low." This assessment contrasts with the success rate of between 17 and 18 out of every 20 attempts that Hexens claimed to have achieved in their simulations, and also with independent reviews from two third parties: Mudit Gupta, CTO of Polygon, stated that the proof of concept worked as described, while the firm Grego AI estimated the direct risk to Aptos's native assets at $250 million, a figure significantly lower than the $70 billion that Hexens estimated for the broader ecosystem impact.
Finally, Charles Guillemet, CTO of Ledger, indicated that such findings, with complete traces of the virtual machine and two functional proof of concepts, previously required months of work from a specialist and today, with artificial intelligence tools, are faster and cheaper to produce. According to his reading, if security teams can now go through every line of code and build a functional attack at low cost, it is reasonable to assume that groups of attackers, including those linked to North Korea like Lazarus, have similar capabilities.
You may also like
Perplexity Fine-Tuned a Chinese AI Model to Match Claude Opus 4.8 at One-Third the Cost
Bank of Korea defends bank-first stablecoin plan amid bill deadlock
JPMorgan says bitcoin's main risk isn't Strategy, but blockchain adoption that doesn't benefit public chains and tokens
Fear & Greed Index Today: What Extreme Fear Means for Crypto, Stocks and Gold
Labour MPs Push to Make UK Crypto Donation Ban Permanent
Supreme Court ruling expanding Trump's authority over federal agencies raises questions for SEC, CFTC as crypto rulemaking advances
'Bottom building in progress': Analysts say bitcoin holder capitulation signals late-stage bear market
A Comprehensive Analysis: Starting from 1996, Who is Laying the Foundation for the Next Generation of Capital Markets
Luke Dashjr, the Biggest Anti-Spammer of Bitcoin, Inscribed Phrases on the Network in 2011
Whales bought 270,000 BTC while ETFs bled $7 billion. One side is wrong
The crypto IPO class of 2025-26 is down as much as 89%. Autopsy of a listing boom
Robinhood Chain Mining Guide: A Comprehensive Tutorial from Cross-Chain to Memecoin
BitGo CEO says single-digit percentages of bitcoin's supply are 'probably right' for large holders amid Strategy's sale
Beyond Private Keys: How to Safeguard the Security Boundaries of Web3 from Wallets, L2 to Supply Chains?
Vanguard Enters the Market, Opening a New Crypto Gateway for 50 Million Traditional Investors
Why the OUSD Alliance of 150 Companies Still Cannot Shake USDT and USDC?
Citigroup Analysis: Is There Still 47% Upside for Nvidia? Can Rubin and CPO Deliver?
WEEX API Fast Connect: Turn Every Sign-In Into a Live Trader in Under 10 Seconds
WEEX API Fast Connect is a one-click OAuth authorization system that lets your users link their WEEX account without ever touching an API key. Frictionless onboarding, faster conversions, higher retention — built for WEEX Broker partners.



