Aptos Fixes Critical Move VM "Stale Cache" Flaw, With Up to $70B in Theoretical Exposure
AI Market Summary
Aptos patched a critical Move VM "stale-cache" vulnerability that researchers said could enable hijacking on-chain structs and authority resources, implying large theoretical systemic exposure across DeFi and bridges. No funds were lost and the fix reached mainnet within hours, which is stabilizing, but the disclosure highlights latent smart-contract execution risk and may tighten risk controls for Aptos-linked protocols, especially cross-chain bridges.
Impact level
● Medium
Affected assets
APT/USDT-2.88%
AI Insight · APT/USDTAI Insight
● Neutral
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Aptos, a blockchain that handles billions of dollars in daily transaction volume, narrowly avoided a potentially severe security incident after patching a critical vulnerability in its Move virtual machine (VM). Security researchers showed that a simulated exploit could succeed close to 90% of the time using a relatively modest server setup.
Blockchain security firm Hexens reported the issue—described as a "stale cache" bug—on February 25, 2026. Aptos Labs pushed a mainnet fix within hours. A public pull request posted on February 27 detailed the remediation and tied it to the project's bug bounty process.
What the vulnerability enabled
The flaw was located in the Move VM, the execution layer responsible for processing every smart contract on Aptos. According to Hexens, the bug could allow an attacker to seize control of on-chain structs and authority resources, potentially enabling manipulation of the core data structures that govern ownership and permissions.
Hexens demonstrated proof-of-concept attacks using infrastructure costing about $3,000, with each attempt costing in the low hundreds of dollars. In simulation, the attack path succeeded nearly 90% of the time.
Hexens pegged the maximum systemic risk at $70 billion, factoring in stablecoins, cross-chain bridges, and DeFi protocols built on or connected to Aptos. Bridges were highlighted as especially high-risk because they aggregate pooled assets from multiple networks, making them attractive targets where a single exploit could drain funds sourced from other chains.
Polygon CTO Mudit Gupta separately reviewed the proof of concept and confirmed the researchers' findings.
Aptos response and points of contention
Aptos Labs said no user funds were lost. The company moved from disclosure to a mainnet patch within hours. Aptos also pushed back on claims about real-world exploitability, arguing that mainnet constraints would make a successful attack more difficult than the simulated results suggest. That stance contrasts with Gupta's independent validation of the proof of concept.
The February 27 pull request documented the technical fix and formally linked the disclosure to Aptos's bug bounty program, which offers rewards of up to $1 million for critical vulnerability reports.
What investors and builders should watch
The $70 billion figure reflects a maximum theoretical scenario in which an attacker could chain every vulnerable pathway at once. Even so, the reported cost profile—a roughly $3,000 server plus a few hundred dollars per attempt—sets a low barrier for adversaries targeting a high-value network.
Protocols that depend on Aptos for settlement, especially cross-chain bridges, may treat this incident as a cue to review and audit their own dependencies and assumptions.
Aptos's $1 million cap for critical bug bounties is broadly competitive. Hexens' characterization of the exposure, though, underscores the gap between bounty payouts and the potential value of such vulnerabilities on grey markets, making the researchers' decision to pursue responsible disclosure notable.