Hexens discovers Aptos type confusion vulnerability, attack success rate approaches 90%

APT0.30%
USDC0.01%

Cybersecurity firm Hexens' CTO Vahe Karapetyan discovered a stale-cache vulnerability in the Move virtual machine of the Aptos blockchain on July 5, leading to type confusion; the vulnerability could trick software into bypassing the type safety guarantees of the Move language. Hexens set up a simulation environment with servers costing about $3,000, and the attack success rate approached 90% in 20 tests.

$3,000 server, 20 simulations, succeeded 17-18 times, attack success rate close to 90%

According to Hexens' technical report, Karapetyan's team built a simulation environment close to mainnet scale to verify the feasibility of the vulnerability: over 30 validator nodes, a staking distribution close to mainnet, real transaction traffic and high-intensity execution competition, with a setup cost of about $3,000; launching a real attack would be even cheaper, and no validator privileges, insider knowledge, or privileged access would be required.

Hexens tested about 20 times in the simulation environment, succeeding 17-18 times, with a success rate close to 90%; even if 2-3 failures occasionally occurred, the network would not halt, and attackers could patiently wait for the next opportunity window.

SEAL911 intervened, patched within hours and notified downstream projects

According to Aptos official statements and CoinDesk reports, Hexens reported the vulnerability through the Aptos bug bounty program on February 25, 2026; Aptos stated that the team was already working on the issue internally when the report was received. The crypto industry volunteer emergency response team SEAL911 set up a war room that same day; later that afternoon, Aptos notified affected vendors and 4 major downstream projects, along with a locally executable proof of concept (PoC).

Aptos told CoinDesk: "The fix was developed, tested, and deployed to mainnet within hours of discovery, and no users or funds were affected throughout the entire process." The public patch pull request went live on February 27, but private validators had already deployed the fix before the public commit.

Polygon CTO Mudit Gupta and Grego AI independently verified PoC effectiveness

According to CoinDesk, there was a notable discrepancy between Aptos' assessment and Hexens': Aptos stated "analysis indicates this vulnerability is extremely difficult to exploit under real-world conditions," while Hexens responded that it has not received any evidence-based technical rebuttal to date.

Polygon CTO Mudit Gupta independently reviewed the PoC and said: "It works as claimed, the vulnerability makes sense... a few conditions need to be met, and it appears they achieved them on mainnet."

Independent firm Grego AI verified the PoC, and CEO Justus Hanna stated bluntly: "If a malicious actor got hold of this vulnerability, they could take any TVL they wanted."

Risk estimate: Aptos native TVL directly exposed at about $250 million

According to assessments by Hexens and Grego AI, the risk scale of this vulnerability is divided into two levels:

Aptos native TVL direct exposure (Grego AI assessment): Based on the attack success rate of nearly 90%, approximately $250 million of Aptos native TVL is directly threatened, excluding cross-chain exposure.

Systemic risk (Hexens assessment): Up to $70 billion, covering cross-chain bridges, cross-chain messaging systems, stablecoin issuance management processes, and assets accessible via centralized exchanges; this number presupposes that an attacker massively mints USDC and moves assets to other chains via Circle's Cross-Chain Transfer Protocol (CCTP).

Circle's limitation: Circle stated it will not freeze assets without legal authorization, meaning the probability of the full $70 billion risk materializing is limited if all parties intervene in a timely manner.

Trust chain contagion risk: Critical protocol permissions in the Move language (minting stablecoins, controlling cross-chain bridges, managing lending markets) are stored as "on-chain resources." Once compromised, the damage spreads along the trust chain to all systems that depend on them.

In one test, Hexens briefly took over a role analogous to "master minter," operating through legitimate management paths and stopping short of actually minting coins, but this was sufficient to prove that such roles must be included in the full threat model.

Frequently Asked Questions

What is the Aptos Move VM vulnerability, and how does it work?

According to Hexens' technical report, it is a "stale-cache bug" leading to "type confusion"; the software is tricked into mistaking one on-chain resource for another, bypassing the type safety guarantees of the Move language, effectively allowing an attacker's controlled code to write directly into the storage space of other contracts.

Has this vulnerability been patched, and what was the timeline?

According to Aptos' official statement, after being reported on February 25, 2026, the fix was completed, tested, and deployed to mainnet within hours, with private validators deploying even earlier; the public PR went live on February 27; Aptos stated no users or funds were affected throughout the process.

How was the $70 billion systemic risk assessed by Hexens calculated?

According to Hexens' assessment, the $70 billion covers cross-chain bridges, cross-chain messaging systems, stablecoin issuance, and assets accessible via centralized exchanges; the precondition is that an attacker massively mints USDC and moves it to other chains via Circle CCTP. Circle stated it does not freeze assets without legal authorization, so if all parties intervene in a timely manner, the probability of full risk materialization is limited.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments