Ethical Hackers Flag Aptos Move VM Bug With $70B Potential Blast Radius

AI Market Summary
Hexens disclosed a "stalecache" type-confusion flaw in Aptos' Move VM that could have enabled high-impact privilege hijacks (e.g., minting/bridge control) with low-cost infrastructure, though Aptos disputes practical exploitability. The bug was patched within two days and no funds were lost, but the public $70B systemic-risk framing can weigh on near-term confidence in Aptos-based DeFi/bridges and Move-ecosystem security perceptions.
Impact level
● Medium
Affected assets
APT/USDT-1.39%
AI Insight · APT/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
A pair of ethical hackers say they have shown how a modest, roughly $3,000 server setup could have been used to target a critical weakness in Aptos' Move virtual machine, exposing what they estimate as up to $70 billion in ecosystem-wide risk across stablecoins, DeFi applications, cross-chain bridges and centralized exchange routing. Blockchain security firm Hexens said it identified what it calls a "stalecache bug" in the Move VM on Feb. 25, 2026. According to the firm, the issue created a type-confusion condition that could cause the system to misinterpret data types, potentially enabling an attacker to seize control of sensitive on-chain resources such as minting permissions and bridge control mechanisms. In Hexens' simulations, the attack succeeded nearly 90% of the time, with 17 successful outcomes across 20 runs, using infrastructure estimated at about $3,000. Polygon CTO Mudit Gupta independently validated the proof of concept, Hexens said. Hexens framed the exposure as a $70 billion "systemic" risk rather than Aptos' own total value locked. Security assessment firm Grego AI placed Aptos TVL at about $250 million, but Hexens argued the larger figure reflects potential knock-on effects for assets and services that rely on Aptos infrastructure, including stablecoins, DeFi protocols, bridge connectivity and exchange pathways. Aptos Labs disputed the severity assessment, saying the bug would have been difficult to exploit in real-world conditions on mainnet. Aptos Labs patched the vulnerability on mainnet on Feb. 27, two days after discovery. No funds were reported lost. Disclosure was coordinated via SEAL911 emergency channels, and four downstream projects were notified on the day the issue was identified. Public disclosure followed on July 4, 2026, under responsible disclosure practices. Aptos said it maintains a bug bounty program that pays up to $1 million for high-severity findings. For investors and DeFi builders, the episode underscores the stakes around core execution environments. Move VM, originally developed for Meta's Diem project, was built with safety as a design priority. Aptos competes with Sui—another Move-based Layer 1—as well as Solana and Ethereum scaling networks. Even with Aptos contesting the estimate, a headline $70 billion systemic-risk figure is likely to factor into deployment decisions and assessments of base-layer security track records.