
Security researchers at Hexens found an Aptos Move VM bug that could have put up to $70 billion in crypto at risk. Aptos patched it within hours.
Author: Sahil Thakur
8th July 2026 – Security researchers at Hexens found an Aptos Move VM bug that could have put up to $70 billion in crypto at risk. Aptos patched it within hours.
High Signal Summary For A Quick Glance
開運鬼龍🐳BITGET【h1qb】MEXC【1aXc9】BINGX【KAIUN】
@kaiun69
🚨 aptos:native APTOSの欠陥が2人のホワイトハッカーによって発見され700億ドルが危険にさらされる 2人のホワイトハッカーが、わずかTHREE-THOUSANDドルのサーバーを使用してAptosのコアコンセンサスメカニズムの欠陥を悪用し、ほぼ90%の成功率を達成しました。 https://t.co/Fn0lZJNIf3

02:16 AM·Jul 8, 2026
Joe
@0x_Osprey
Another L1 "widowmaker" bug gets reported by white hats this time on Aptos This would have decimated the entire chain/forced a hardfork Probably the most sophisticated execution I've seen in recent memory (precise cache writes across the entire validator set) https://t.co/lm3cVGrlIb
1/ we found a bug in the Aptos Move VM that put up to $70B at systemic risk. type confusion at the execution layer. a ~90% success rate across hundreds of simulated runs on a 30+ validator cluster. cost to build the attack infrastructure: $3,000. Conducted by @kemmio , to our
04:06 PM·Jul 7, 2026
CryptoMaMa
@1CryptoMama
So, ethical hackers used a $3,000 server to find an Aptos flaw that risked $70B in crypto This flaw could have compromised the core security guarantees of the Move language with nearly 90% success rate, potentially putting approximately $70 billion in crypto assets at risk.
11:18 AM·Jul 6, 2026
Steady attention without excessive speculation.
The flaw never touched user funds. Hexens reported it privately on February 25, and Aptos shipped a fix the same day. The researchers then waited months to disclose it, until validators had migrated to the patch.
The problem sat in the execution layer, not in consensus. Aptos runs AptosBFT, a Jolteon-based protocol, and that part stayed intact. Instead, the bug lived in the Move VM runtime.
Move is built on strong type safety. In plain terms, one contract cannot read or change another contract’s data. A vault balance or a mint capability stays locked to its owner.
The bug came from a partial cache flush. During routine cleanup, the code flushed two caches but skipped a third, the type-tag cache. As a result, a later struct could steal the identity of an earlier one.
The specific fault lived in a function called check_ready, inside the block executor’s cache manager. It flushed the struct name map and the module ID pool. Still, it left the type-tag cache stale.
Hexens calls the result a type-confusion vulnerability. An attacker could hijack or overwrite arbitrary structs. In practice, that means draining vaults, seizing ownership rights, or minting stablecoins at will.
Picture the Move VM as a filing system with strict labels. Every struct gets an index that points to its true type. The type-tag cache remembers those labels between blocks.
When too many modules load, the executor clears space. Here, it cleared some labels but kept stale type tags. Later, a fresh module reused an old index, and the stale tag pointed it at the wrong data.
That mismatch is the whole exploit. An attacker crafts transactions to trigger the flush at the right moment. Then a malicious struct inherits a victim’s identity and its stored value.
Hexens tested the Aptos Move VM bug on a local network that mimicked mainnet. The team spun up more than 30 validators with a realistic stake spread. That setup cost about $3,000 in server time.
Notably, the attack needed no special access. According to Hexens, an attacker needs no validator role, no insider help, and no stake. Each attempt costs only hundreds of dollars.
The success rate stunned reviewers. In roughly 18 of 20 runs, the exploit drained a test vault from 1,000,000 to zero. Clean misses did no damage.
Hexens framed the stakes bluntly. “Once type safety can be violated at the VM level, that assumption no longer holds,” the report reads. “A contract can be correctly written, fully audited, and still have its state hijacked from beneath it.”
The $70 billion figure is theoretical, not money that moved. It reflects first-order exposure across the ecosystem. That number includes stablecoin mint and burn rights, bridges, and DeFi vaults.
Bridges like LayerZero, Wormhole, and CCTP sit inside that estimate. So do ownership takeovers and cross-chain message forgery. The math assumes an attacker reaches every critical capability at once.
Independent reviewers put the direct figure far lower. Grego AI estimated about $250 million in Aptos-native TVL at real risk. For context, DefiLlama pegs current Aptos TVL near $110 million.
Aptos moved fast. The team built, tested, and deployed a private patch to validators on the day of the report. A public pull request documenting the fix followed on February 27.
The response also reached beyond Aptos itself. A SEAL911 security war room opened the same day. By that afternoon, bridges and stablecoin issuers held proof-of-concept materials.
An Aptos spokesperson pushed back on the worst-case framing. “A fix was developed, tested, and deployed to mainnet within hours of discovery,” the spokesperson told CoinDesk. “No users or funds were impacted at any point.”
Aptos also calls real-world exploitability “extremely low.” Hexens, by contrast, showed a roughly 90% success rate in its simulation. Both camps still agree on the core facts of the flaw.
The public disclosure barely moved the market. APT traded around $0.62 in early July, with no sharp swing tied to the news. The risk window had already closed months earlier.
Still, the episode tests a core promise of Move-based chains. The Aptos Move VM bug showed that a flaw below the application layer can bypass even audited contracts. That lesson will shape how researchers probe Move next.
Some observers question the four-month private window and the undisclosed bounty payout. Aptos runs a bug bounty that pays up to $1 million for critical issues. For now, the fix is live, and no exploit ever reached mainnet. This article is informational and not financial advice.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.