Researchers at Hexens identified a critical vulnerability in the Aptos blockchain that could have exposed up to $70 billion in crypto assets to risk. The issue was reported on February 25 and fixed within days, with no funds lost.
White hat hackers from the security firm Hexens discovered a stale-cache bug in the Aptos Move virtual machine. The flaw allowed potential type-confusion attacks that could bypass core security guarantees of the Move programming language.
The team simulated the attack using a $3,000 server setup that approximated one-third of the validator network. They achieved a success rate of over 90 percent across roughly 20 test runs under conditions that matched mainnet traffic and stake distribution.
Aptos Labs received the report through its bug bounty program on February 25. A fix was developed, tested, and deployed to mainnet within hours. An Aptos spokesperson stated that no users or funds were impacted.
Independent reviewers including Mudit Gupta of Polygon confirmed the proof-of-concept worked as described. Grego AI separately estimated that about $250 million in Aptos-native value was directly at risk, while broader cross-chain exposure could have reached the higher systemic figure.