A critical vulnerability in the aptos blockchain, if exploited, could have put up to $70 billion in crypto assets at risk, affecting stablecoins, bridges, and other protocols. although patched, the discovery highlights significant systemic risks within the ecosystem.
While the immediate threat was mitigated, news of such a significant vulnerability, even if patched, can erode investor confidence in the aptos blockchain and potentially lead to a bearish sentiment. the perceived risk to a large sum of assets, regardless of the quick fix, may cause investors to re-evaluate their holdings.
The long-term effect will depend on aptos's ability to continually demonstrate robust security and rebuild trust. this incident, while resolved, will likely remain a talking point regarding the chain's security history, influencing future investment decisions.
Tech How ethical hackers with just a $3,000 server found a flaw that could've put $70 billion in crypto at risk A critical flaw in the Aptos blockchain, which was patched, gave researchers a near-90% success rate at breaking a core security guarantee, with attack costs of just hundreds of dollars. By Oliver Knight | Edited by Cheyenne Ligon , Nikhilesh De , Jamie Crawley Updated Jul 4, 2026, 8:16 p.m. Published Jul 4, 2026, 6:00 p.m. 6 min read Make preferred on Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Make preferred on (Boitumelo/Unsplash) Summary Show Ethical hackers from security firm Hexens discovered a flaw in the Aptos blockchain that was patched but could have put up to $70 billion in digital assets at systemic risk, including stablecoins and cross-chain bridges. Researchers simulated the attack with a over-90% success rate under real network conditions, using a well-provisioned server setup that cost just $3,000 to simulate about 1/3 of the validator network, and the attack required no insider access or special permissions. The vulnerability was reported through emergency security channels on Feb. 25, and a patch was deployed within days to prevent any funds from being lost. A $3,000 server was enough for a blockchain security researcher to simulate an attack path they say could have put as much as $70 billion in crypto infrastructure at risk. At the center of the disclosure was a flaw in Aptos, a layer-1 blockchain built on Move, the smart contract language used by Aptos and Sui, that stems from Facebook’s shelved Diem project . In late February, researchers at the blockchain security firm Hexens reported a critical vulnerability in the Aptos Move virtual machine, the execution environment that processes smart contracts on the chain, to the project’s development team. Hexens identified what it described as a "stale-cache bug" leading to a type-confusion vulnerability, a condition in which software can be tricked into treating one type of onchain resource as another.The Aptos team did patch the vulnerability when it was flagged, and no funds were lost. “Aptos Labs was notified of a potential issue through our bug bounty program on February 25 that was already being triaged internally at the time," an Aptos spokesperson told CoinDesk. "A fix was developed, tested, and deployed to mainnet within hours of discovery. No users or funds were impacted at any point." The Aptos spokesperson also disputed the practical exploitability of the bug to CoinDesk. "Our analysis determined the bug would have extremely low exploitability in real world conditions." However, the details of what researchers found offer a sobering look at how close the ecosystem came to a potentially industry-altering event. The sensitivity of this class of bug comes down to how the Move language handles authority. Protocol permissions in Move, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. If those resources are compromised, the damage does not stop at one protocol. It extends to everything that trusts them. Hexens' researchers offered a practical analogy to the bug: it is roughly comparable to a bug on an Ethereum-style chain that would allow attacker-controlled code to write into storage belonging to other contracts, bypassing the type-system guarantees that Move was specifically designed to uphold. Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and said the exploit held up. "It ran as claimed, and the exploit made sense," he told CoinDesk. "It required a few conditions to be met, which it seems like they did on the mainnet." Meanwhile, Grego AI, which independently verified Hexens' proof-of-concept, calculated that approximately $250 million in Aptos-native TVL was directly at risk based on the near-90% success rate, separate from broader cross-chain exposure. The $70 billion risk The vulnerability, discovered by Vahe Karapetyan, CTO and co-founder of Hexens, could, if left unchecked, have exposed a far larger systemic risk surface across bridges, stablecoins, DeFi protocols and centralized exchanges, costing billions and creating a crisis far beyond Aptos itself. And all it would've taken was a few thousand dollars' worth of servers. The total cost to spin up the infrastructure needed to run this experiment was approximately $3,000 for a server that simulated an environment designed to approximate Aptos mainnet conditions. Although if a malicious attacker were to actually go through the exploit, it would have required considerably less, without requiring validator access, insider knowledge or privileged protocol permissions. The team ran the exploit path roughly 20 times in a simulated environment and succeeded 17 or 18 times. The two or three failed attempts didn't stop the network, meaning the attacker could have simply had another window to try again. The simulation was built to closely approximate real network conditions, using a cluster of more than 30 validator nodes, a mainnet-shaped stake distribution, organic transaction traffic and heavy execution contention. The Hexens team also tested what they call "non-armed calibration techniques": dry runs that measured mempool and block-construction conditions before committing to an armed attempt. The firm said those steps materially reduced the uncertainty introduced by the exploit's probabilistic elements, making the attack path more reliable in practice. Based on public data collected at the time of reporting, Hexens assessed direct and first-order protocol exposure on Aptos, covering DeFi protocols, tokenized assets, stablecoin infrastructure and liquid-staking systems, at low single-digit billions. In such exploits, however, the broader risk could've been greater, as blockchain-level compromises rarely stop at the affected chain. Hexens assessed that the broader first-order systemic risk was approximately $70 billion — a huge number that includes value accessible through bridges, cross-chain messaging systems, stablecoin administration flows and centralized exchanges. Grego AI noted that the exploit could also be used to steal protocol capabilities, including those held by LayerZero, Wormhole and USDC's CCTP. "If malicious actors had access to this bug, they would have been able to take all [the] TVL that they want[ed]," said Justus Hanna, CEO at Grego AI. The simulation shows the industry remains vulnerable to hidden bugs in the blockchain technology. If an attacker had actually found and exploited the bug, in theory, it could have easily dwarfed the massive $1.5 billion stolen in a Bybit hack last year. Most recently, in June, Zcash (ZEC) plummeted 38% after developers revealed a critical bug that had lurked undetected in its privacy pool for four years, one that could have allowed an attacker to print unlimited counterfeit tokens without anyone knowing. Before that, nine-figure bridge hacks and protocol exploits drained liquidity pools and rattled confidence in the infrastructure underpinning the broader market. It’s worth noting that $70 billion is an estimate based on minting a mammoth amount of USDC stablecoin and using Circle's Cross-Chain Transfer Protocol (CCTP) to move it across chains. If a malicious attacker did this, and given how large the number is, it’s also likely a company like Circle would halt USDC transfers, although that has come under scrutiny recently as the stablecoin issuer said it doesn't freeze assets without legal authorization. So, in theory, if everyone stepped in, the entire $70 billion figure likely wouldn't be achieved—but it would still have rocked the industry nonetheless. What this proof-of-concept testing demonstrated was access to the kinds of authority that sit at the top of cross-chain systems: bridge capabilities, signer capabilities, master-minter roles and protocol accounting state. Researchers said they validated a takeover of a master-minter-style role and demonstrated the use of a legitimate administration path, stopping short of actually minting tokens but showing why such roles belong in the threat model. The dominant vector into the broader surface runs through centralized exchanges, specifically the Aptos bridge pathways that connect onchain activity to exchange deposit crediting. Response and disclosure The same day Hexens filed its report, a "SEAL911" emergency warroom was opened to coordinate the response. SEAL911 is a volunteer security group that has become a key first-responder layer across the crypto ecosystem. The vendor was notified hours after the warroom opened, and four major downstream projects were alerted that afternoon, each receiving local-runnable proof-of-concept material and analysis of relevant authority patterns. A public pull request reflecting the patch became available on February 27. Aptos stated that a private-validator patch had been deployed before the public commit. Hexens, meanwhile, says it has not received a technical rebuttal or evidence-based argument disputing the demonstrated impact classes. The firm claims that the main concern relayed back to the researchers involved the probabilistic aspects of the exploit, precisely what the team's calibration work was designed to address. While no funds were stolen, the simulation showed that in a blockchain-level compromise, rate limits, issuer freezes, bridge controls, exchange monitoring and validator patches are not secondary safeguards. They can become the boundary between a contained bug and a market-wide exploit. Hack Exclusive Latest Crypto News 1 Tokenization's next use case is personalized portfolios, NYLIM executive says 20 minutes ago 2 Bitcoin jumps above $63,000, reversing end-June losses 2 hours ago 3 Bitcoin experts split over plan to freeze Satoshi's 1.1 million bitcoin as quantum threat grows 2 hours ago 4 Why bitcoin's disconnect from record-high stocks won't last 4 hours ago 5 Trump's crypto token buyers are down $3.8 billion, blockchain data shows 4 hours ago 6 Europe led on crypto regulation. Now implementation must match ambition 6 hours ago 7 EU moves to block retail investors from explosive boom of multibillion-dollar prediction markets 6 hours ago 8 UK's bold new crypto rules promise to unlock global trading, but huge compliance hurdles still threaten the rollout 8 hours ago 9 XRP climbs 8% as record holder losses signal better risk-reward for buyers 13 hours ago 10 Bitcoin’s next parabolic run may need $1 trillion in fresh capital 13 hours ago Latest Research Building the Zcash Machine: Tachyon and Quantum Readiness Building the Zcash Machine: Tachyon and Quantum Readiness Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold. By CoinDesk Research Jun 30, 2026 Commissioned by GenZcash Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold. Why it matters : Zcash’s Tachyon upgrade aims to scale shielded payments, improve quantum readiness, and test whether its funding, security, and governance can hold. View Full Report More From Tech Live updates: Bitcoin rises above $62,000 as the red hot semiconductor trade starts to fade Live updates: Bitcoin holds above $61,000 as momentum stocks plunge to start quarter Ethereum Institutional launch draws support from across the Ethereum ecosystem