CYNTRI AIAutonomous DeFi
๐Ÿ”SEARCH
THE BODY COUNT
HACK DATABASEยท๐Ÿ”“

Aptos: A $3,000 Server Found the Bug That Could Have Broken $70 Billion

Two ethical hackers rented $3,000 worth of servers and found a flaw in the Aptos blockchain that could have minted counterfeit stablecoins, seized bridges, and forged assets across the entire ecosystem. Estimated damage: up to $70 billion. Actual damage: zero, because they reported it first.

S
SYNTHยทHack Database
Aptos: A $3,000 Server Found the Bug That Could Have Broken $70 Billion
In July 2026, security firm Hexens disclosed a bug in the Aptos Move VM that a $3,000 server could have exploited to put up to $70 billion at systemic risk. It was patched in February before anyone lost a cent

You do not need a nation-state budget to threaten a multi-billion-dollar blockchain. You need about $3,000 and a very good weekend.

That is the lesson from a disclosure security firm Hexens made public on July 4, 2026. Back in February, their researchers found a critical flaw buried inside the Aptos Move virtual machine - the engine that runs every smart contract on the chain. Hexens put the first-order systemic risk at roughly $70 billion. For a network that markets itself on speed and safety, that is not a number you want next to your name.

The bug was what they called a stale-cache bug that produced a type-confusion condition. Here is the plain version. Type confusion is an old software problem: the program reads something as the wrong kind of thing and walks straight past the checks meant to stop it. On a blockchain, that mix-up is dangerous. Move stores authority as on-chain resources - the right to mint a stablecoin, control a bridge, administer a lending market. These are not passwords. They are objects living in storage. If you can trick the system into treating a malicious object as a legitimate authority resource, you do not hack one protocol. You become the protocol.

CyntriAI
PREDICTIVE DEFI
Stop chasing yields across five chains.
Cyntri AI agents predict, execute, and rebalance your DeFi positions using advanced predictive models.
ETHSOLARBBASEOP
Read the Whitepaper
cyntriai.org
A Cyntri AI Project

Hexens co-founder Vahe Karapetyan led the research. His team spun up a cluster of more than 30 validator nodes, built to mirror the real Aptos network - realistic stake distribution, live transaction traffic, heavy execution contention. The total cost of the rig was around $3,000, standing in for roughly a third of the validator set. Individual attack attempts cost a few hundred dollars. The success rate in simulation hit nearly 90%. No insider access. No special permissions. No privileged role. Just the bug and the servers.

According to Hexens, a successful exploit could have handed an attacker master-minter roles over stablecoins, control of cross-chain bridges including the rails Wormhole and LayerZero use, and even reached the CCTP protocol Circle uses to move USDC between chains. On that scale, it would have dwarfed the $1.5 billion Bybit hack of the previous year. They got as far as seizing a master-minter role and stopping one step before actually authorizing an issuance. They could also flush the caches after each attempt, successful or not, to leave no trace.

Then they did the thing that separates a white hat from a headline. They reported it.

The disclosure went to Aptos Labs on February 25, 2026, through the bug bounty program. A SEAL911 emergency channel opened the same day. Aptos deployed a fix to mainnet within hours and published a public pull request documenting the patch on February 27. No funds were ever touched. The whole thing was over months before anyone outside a handful of security researchers knew it existed.

Aptos disputes the scale. A spokesperson told CoinDesk the bug would have "extremely low exploitability in real world conditions." That is the company line, and it sits awkwardly next to Hexens hitting the exploit 17 or 18 times out of 20 on a mainnet-shaped simulation. The independent reviews did not help Aptos's case. Polygon CTO Mudit Gupta tested the proof-of-concept himself and said it ran as claimed, with a few conditions that needed to line up. Coming from the security chief of a rival chain, that carries more weight than anything Aptos or Hexens could say alone. Grego AI, which verified the work, put the directly exposed Aptos-native value at around $250 million - far below $70 billion, but still a nine-figure hole.

The uncomfortable detail is the speed. Aptos brags about it - 16 million transactions in a day, blocks confirming in seconds, fees around $0.0005 after a fee hike. Those are the exact properties a security researcher weighs first. At a fraction of a cent per transaction, flooding the chain with malicious payloads is nearly free. And the same engine that clears legitimate volume in seconds would clear a fake mint-and-transfer run at the same pace. An attacker who could forge assets would only need a short window to create them and move them out before any human could react. Speed is neutral. It clears your money and the thief's money at the same rate.

Nobody lost a dollar. That is the headline and it is real. But the story is not "the system worked." The story is that one of crypto's best-funded layer-1s carried a chain-level flaw for months, it took two people and a $3,000 server to find it, and the only reason $70 billion did not become the number attached to Aptos forever is that the people who found it decided to send an email instead of an exploit.

The Aftermath

No funds were ever lost - the flaw was patched in February, five months before the public disclosure. APT traded near $0.62 after the July 4 reveal with roughly a $518 million market cap, and the disclosure did not trigger a sharp move. Aptos maintained that real-world exploitability was 'extremely low,' a position that clashed with the independent verifications from Polygon's Mudit Gupta and Grego AI. Ledger CTO Charles Guillemet noted that findings like this - full VM traces plus two working proof-of-concepts - once took specialists months to produce and are now faster and cheaper with AI tooling. The episode became a reference point in the argument for on-chain circuit breakers on high-throughput layer-1s, where block speed leaves humans no time to react to a chain-level exploit in progress.

LESSONS LEARNED

!The cost to threaten a $70 billion ecosystem was $3,000 and a weekend. The gap between attacker cost and potential damage has never been wider, and AI tooling is shrinking the skill and time it takes to find flaws that once required months of specialist work.
!Speed is a security variable, not just a marketing one. On a chain clearing 16 million transactions a day at a fraction of a cent each, a fake mint-and-transfer run clears as fast as legitimate volume - and no human can react in the seconds it takes to move forged assets out.
!The system did not 'work.' A white hat chose disclosure over exploitation. That is a decision, not a safeguard. The only thing standing between a patched bug and a $70 billion headline was the ethics of the two people who found it first.

COMMENTS

CMZ
END OF FILE
Filed under Hack Database