
Hexens researchers found a type-confusion bug in Aptos Move VM. No funds were lost. The simulation showed $70B at risk across bridges and crypto exchanges.
A server costing $3,000 was enough for blockchain security researchers to simulate an attack path they said could have compromised up to $70 billion in crypto infrastructure. The vulnerability sat in Aptos, a layer-1 blockchain built on the Move language. Hexens, the firm that found it, reported a stale-cache bug leading to a type-confusion flaw in the Move virtual machine. The Aptos team patched it within hours of the Feb. 25 disclosure. No funds were stolen.
Move stores protocol permissions as onchain resources. That includes the rights to mint stablecoins and control bridges. Administering lending markets works the same way. The bug let attacker-controlled code treat one type of onchain resource as another, bypassing the type-system guarantees the language was designed to enforce. The effect was roughly comparable to an Ethereum bug that would let code write into storage belonging to other contracts, Hexens said.
Hexens assessed direct exposure on Aptos at low single-digit billions. Grego AI, which independently verified the proof of concept, calculated that around $250 million in Aptos-native total value locked was directly at risk, based on a near-90% success rate. The broader first-order systemic risk reached roughly $70 billion, Hexens said, including value flowing through bridges and centralized exchanges. The exploit could steal protocol capabilities held by LayerZero, Wormhole, and USDC's cross-chain transfer protocol.
Hexens opened a SEAL911 warroom the same day. Four downstream projects received proof-of-concept material and analysis of relevant authority patterns that afternoon. A public pull request reflecting the patch appeared Feb. 27. Aptos said a private validator patch was deployed before that commit. Mudit Gupta, CTO at Polygon, reviewed the materials and said the exploit held up. "It ran as claimed, and the exploit made sense," he told CoinDesk.
Aptos disputed the practical exploitability. The spokesperson told CoinDesk the bug would have extremely low exploitability in real world conditions. Hexens said it received no technical rebuttal. The team ran the exploit path 20 times in a simulated environment and succeeded 17 or 18 times. The failed attempts did not stop the network, meaning an attacker could have tried again. The simulation used more than 30 validator nodes with mainnet-shaped stake distribution and organic transaction traffic. No validator access or insider knowledge was required.
Justus Hanna, CEO at Grego AI, said: "If malicious actors had access to this bug, they would have been able to take all the TVL that they want."
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.