A $3,000 server. That is all it would have taken to potentially compromise $70 billion in crypto infrastructure. Let that sink in.
Security firm Hexens has disclosed a critical vulnerability in the Aptos blockchain’s Move virtual machine that, had a malicious actor found it first, could have triggered the single largest crypto catastrophe in history. The bug was patched in February, no funds were lost — but the details of what researchers found should terrify every protocol builder, bridge operator, and stablecoin issuer in the ecosystem.
The Bug That Nearly Broke Everything
Discovered by Vahe Karapetyan, Hexens’ CTO and co-founder, the vulnerability was a “stale-cache bug” that created a type-confusion condition in the Aptos Move VM — the execution environment that processes every smart contract on the network. In plain terms, the software could be tricked into treating one type of on-chain resource as another.
Why does that matter? Because protocol permissions in Move — the right to mint a stablecoin, control a bridge, or administer a lending market — are stored directly as on-chain resources. Compromise those resources, and the damage does not stop at one protocol. It extends to everything that trusts them.
Hexens’ researchers drew a chilling analogy: the Aptos Move VM bug was roughly comparable to a flaw on Ethereum that would allow attacker-controlled code to write into storage belonging to other contracts, bypassing every type-system guarantee that Move was specifically designed to uphold.

Ninety Per Cent Success Rate on a Budget Server
The numbers from Hexens’ simulation are sobering. The team ran the exploit path roughly 20 times in a simulated environment that closely approximated mainnet conditions — more than 30 validator nodes, a realistic stake distribution, organic transaction traffic, and heavy execution contention. They succeeded 17 or 18 times. That is a near-90% success rate.
The total infrastructure cost? Approximately $3,000 for the server cluster. Individual attack attempts would have run into the low hundreds of dollars. No validator access was required. No insider knowledge. No privileged protocol permissions.
Polygon’s CTO Mudit Gupta independently reviewed the proof-of-concept materials and confirmed the exploit held up. “It ran as claimed, and the exploit made sense,” he told CoinDesk. “It required a few conditions to be met, which it seems like they did on the mainnet.”
Grego AI, which independently verified the findings, calculated that approximately $250 million in Aptos-native total value locked was directly at risk. But the real exposure ran far deeper.
The $70 Billion Question
Hexens assessed the broader first-order systemic risk at approximately $70 billion. That figure accounts for stablecoins, cross-chain bridges, DeFi protocols, and — critically — the bridge pathways that connect on-chain activity to centralised exchange deposit crediting.
The researchers demonstrated access to the kinds of authority that sit at the top of cross-chain systems: bridge capabilities, signer capabilities, master-minter roles, and protocol accounting state. They validated a takeover of a master-minter-style role, stopping short of actually minting tokens but demonstrating precisely why such roles belong in the threat model.
Justus Hanna, CEO at Grego AI, put it bluntly: “If malicious actors had access to this bug, they would have been able to take all the TVL that they wanted.”
The dominant attack vector into the broader $70 billion surface ran through centralised exchanges — specifically the Aptos bridge pathways. LayerZero, Wormhole, and USDC’s Cross-Chain Transfer Protocol were all identified as potentially compromised pathways.

Patched in Hours — But the Dispute Lingers
To Aptos Labs’ credit, the response was swift. The vulnerability was reported on 25 February through emergency security channels. A SEAL911 warroom — the volunteer security group that has become crypto’s first-responder layer — was opened the same day. Four major downstream projects were alerted that afternoon. A private-validator patch was deployed before the public commit appeared on 27 February.
No user funds were lost. By any measure, this was responsible disclosure done right.
But the aftermath reveals an uncomfortable tension. Aptos disputes the practical exploitability, arguing that “real-world conditions” would make a successful attack harder than simulations suggested. That position sits awkwardly against Gupta’s independent validation and Grego AI’s verification.
The Aptos bug bounty programme offers up to $1 million for critical disclosures. Given that this particular vulnerability carried theoretical exposure in the tens of billions, a researcher who could have sold it on a grey market for vastly more chose responsible disclosure instead. The industry should be grateful — and perhaps reconsider whether $1 million bounties are proportionate to the risks they are designed to prevent.
What This Means for Crypto’s Future
The Aptos Move VM bug arrives against a grim backdrop. H1 2026 saw a record 207 crypto hacks totalling $972 million in losses, according to TRM Labs. DeFi’s total value locked has collapsed from $115 billion in January to roughly $70 billion by late June. Q2 2026 was the worst quarter ever for crypto exploits.
And yet, the industry’s most dangerous moment this year was not the KelpDAO hack ($370 million), the Drift Protocol drain ($220 million), or even the Zcash counterfeiting bug. It was a single stale-cache error in a virtual machine built by former Facebook engineers — a flaw that could have been exploited for the price of a decent laptop.
Move was designed as the “safer” smart contract language, born from Meta’s abandoned Diem project and marketed as an improvement over Solidity’s well-documented footguns. The Aptos vulnerability undermines that narrative entirely. If a type-confusion bug can lurk in the supposedly superior execution environment, no blockchain is immune.
The cost of crypto’s next catastrophe is not millions. It is thousands of dollars and a bit of ingenuity. The only thing standing between the ecosystem and a $70 billion disaster was the integrity of the researchers who found it first.
This is a developing story. Bullish Times will continue to monitor the fallout from the Hexens disclosure and any response from affected cross-chain protocols.









