Aptos Move VM Flaw Raised Systemic Risk Concerns for Up to $70 Billion in Assets
AI Market Summary
Hexens reported a critical Move VM "stale cache" type-confusion vulnerability on Aptos that could have enabled high-success attacks without validator access, potentially seizing cross-chain protocol permissions and threatening DeFi, stablecoins, and liquid staking. While Aptos patched within hours and no funds were lost, the disclosure highlights material smart-contract and bridge-layer systemic risk, which can pressure near-term confidence and liquidity across the Aptos ecosystem.
Impact level
● High
Affected assets
APT/USDT-2.88%
AI Insight · APT/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Blockchain security firm Hexens has identified a critical "stale cache" type-confusion vulnerability in the Move virtual machine used by the Aptos blockchain, CoinDesk reported. In a simulated environment, the researchers said an attacker could achieve close to a 90% success rate at an estimated server cost of about $3,000, without needing validator privileges or any insider access.
Hexens ran roughly 20 simulated attack attempts and succeeded 17–18 times. The team also validated that, if exploited, the issue could enable an attacker to seize administrative control over cross-chain protocol integrations, including LayerZero, Wormhole and USDC CCTP.
Hexens warned the bug posed a direct threat to DeFi protocols, stablecoins and liquid staking applications on Aptos, potentially putting several billion dollars in on-chain assets at risk. The firm added that if the weakness were leveraged via cross-chain bridges, stablecoin minting flows or centralized exchanges, broader systemic exposure could reach as much as $70 billion.
Aptos received the vulnerability report on Feb. 25 and pushed a fix to mainnet within hours. The project said no user funds were affected.