Logo
My Crypto News AI

A $3,000 Server Exposed a Critical Flaw That Could Have Put $70 Billion in Crypto at Risk

A team of ethical hackers at security firm Hexens discovered a critical flaw in the Aptos blockchain that could have exposed up to $70 billion in digital assets to theft, including stablecoins and cross-chain bridges. The vulnerability was reported in late February and patched within hours, preventing any funds from being lost. The researchers demonstrated the exploit's feasibility using just a $3,000 server setup, achieving a near-90% success rate under real network conditions.

What Was the Vulnerability and How Serious Was It?

The flaw existed in the Aptos Move virtual machine, the execution environment that processes smart contracts on the layer-1 blockchain. Researchers identified what they called a "stale-cache bug" that led to a type-confusion vulnerability, a condition where software can be tricked into treating one type of onchain resource as another.

The sensitivity of this bug stems from how the Move programming language handles authority and permissions. Protocol permissions in Move, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. If those resources are compromised, the damage extends far beyond a single protocol to everything that trusts them.

Vahe Karapetyan, CTO and co-founder of Hexens, discovered the vulnerability and explained its potential impact through a practical analogy. The bug was roughly comparable to a flaw on an Ethereum-style chain that would allow attacker-controlled code to write into storage belonging to other contracts, bypassing the type-system guarantees that Move was specifically designed to uphold.

How Did Researchers Prove the Exploit Could Work?

The Hexens team conducted extensive testing to demonstrate the exploit's real-world feasibility. They ran the exploit path roughly 20 times in a simulated environment and succeeded 17 or 18 times. The two or three failed attempts didn't stop the network, meaning an attacker could have simply waited for another window to try again.

The simulation was built to closely approximate real network conditions, using a cluster of more than 30 validator nodes, a mainnet-shaped stake distribution, organic transaction traffic, and heavy execution contention. The team also tested what they called "non-armed calibration techniques," which were dry runs that measured mempool and block-construction conditions before committing to an armed attempt. These steps materially reduced the uncertainty introduced by the exploit's probabilistic elements, making the attack path more reliable in practice.

The total cost to spin up the infrastructure needed to run this experiment was approximately $3,000 for a server that simulated an environment designed to approximate Aptos mainnet conditions. If a malicious attacker were to actually exploit the flaw, it would have required considerably less investment, without requiring validator access, insider knowledge, or privileged protocol permissions.

What Was the Scope of Potential Damage?

Independent verification from multiple experts confirmed the severity of the vulnerability. Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and confirmed the exploit's validity. "It ran as claimed, and the exploit made sense," he stated. "It required a few conditions to be met, which it seems like they did on the mainnet".

Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and

Grego AI, which independently verified Hexens' proof-of-concept, calculated that approximately $250 million in Aptos-native total value locked (TVL), a measure of assets deposited in a protocol, was directly at risk based on the near-90% success rate. However, the broader systemic risk was far greater.

Hexens assessed that the broader first-order systemic risk was approximately $70 billion, a figure that includes value accessible through bridges, cross-chain messaging systems, stablecoin administration flows, and centralized exchanges. The vulnerability could have exposed access to the kinds of authority that sit at the top of cross-chain systems, including bridge capabilities, signer capabilities, and master-minter roles.

Justus Hanna, CEO at Grego AI, emphasized the severity of what could have been accessed. "If malicious actors had access to this bug, they would have been able to take all [the] TVL that they want[ed]," he explained. The exploit could also have been used to steal protocol capabilities held by LayerZero, Wormhole, and USDC's Cross-Chain Transfer Protocol (CCTP).

Justus Hanna, CEO at Grego AI

How Does This Compare to Other Major Crypto Hacks?

If an attacker had actually found and exploited the bug, in theory it could have easily dwarfed some of the largest hacks in crypto history. The $70 billion figure dwarfs the $1.5 billion stolen in a Bybit hack in 2025. Most recently, in June 2026, Zcash (ZEC) plummeted 38% after developers revealed a critical bug that had lurked undetected in its privacy pool for four years, one that could have allowed an attacker to print unlimited counterfeit tokens without anyone knowing.

It is worth noting that the $70 billion estimate is based on minting a massive amount of USDC stablecoin and using Circle's Cross-Chain Transfer Protocol to move it across chains. If a malicious attacker did this, and given how large the number is, it is also likely a company like Circle would halt USDC transfers. So in theory, if everyone stepped in, the entire $70 billion figure likely would not be achieved, but it would still have rocked the industry.

How to Understand the Broader Implications for Blockchain Security

  • Validator Network Simulation: The researchers demonstrated that simulating just one-third of the Aptos validator network required only $3,000 in server costs, showing how relatively inexpensive it can be to test blockchain vulnerabilities at scale.
  • Cross-Chain Exposure: The vulnerability highlighted how a flaw in a single blockchain can cascade across bridges and connected protocols, putting assets on multiple chains at risk even if they are not directly deployed on the affected network.
  • Permission System Risks: The bug exposed how storing protocol permissions as onchain resources in Move can create systemic risks, as compromising one resource type can grant attackers access to critical administrative functions across multiple protocols.
  • Probabilistic Attack Success: The near-90% success rate in testing showed that even probabilistic exploits with a few failure attempts can be practically viable for attackers, since they can simply retry without triggering network-wide alerts.

The Aptos team responded quickly to the disclosure. "Aptos Labs was notified of a potential issue through our bug bounty program on February 25 that was already being triaged internally at the time," an Aptos spokesperson told CoinDesk. "A fix was developed, tested, and deployed to mainnet within hours of discovery. No users or funds were impacted at any point".

However, the Aptos team disputed the practical exploitability of the bug in real-world conditions. "Our analysis determined the bug would have extremely low exploitability in real world conditions," the spokesperson added.

The simulation and testing conducted by Hexens demonstrates that the crypto and blockchain industry remains vulnerable to hidden bugs in core blockchain technology. Even with careful design and security considerations, critical flaws can lurk in the execution environments that process smart contracts, waiting to be discovered by either ethical researchers or malicious actors. The fact that such a severe vulnerability could be found and tested with relatively modest resources underscores the importance of ongoing security research, bug bounty programs, and rapid patching procedures across the blockchain ecosystem.