Aptos fixes critical vulnerability that cost hundreds of dollars to exploit

Aptos fixes critical vulnerability that cost hundreds of dollars to exploit

A stale-cache bug in the Move VM threatened up to $70 billion in assets before a same-day patch stopped it cold

A blockchain that processes billions in daily transactions came within a few hundred dollars of a potential catastrophe. Aptos Labs patched a critical flaw in its Move virtual machine after security researchers demonstrated that a simulated attack could succeed nearly 90% of the time using nothing more than a modest server setup.

The vulnerability, a so-called stale-cache bug, was reported by blockchain security firm Hexens on February 25, 2026. Aptos deployed a fix to mainnet within hours, followed by a public pull request on February 27 that documented the patch and its relationship to the company’s bug bounty program.

What the bug actually did

The flaw sat inside the Move virtual machine, the execution environment that processes every smart contract on the network. The bug allowed an attacker to potentially hijack on-chain structs and authority resources, meaning someone could manipulate the core data structures that define who owns what on the blockchain.

Hexens researchers demonstrated proof-of-concept attacks using a server setup costing roughly $3,000, with individual attack attempts running into the low hundreds of dollars. The success rate in simulations hit nearly 90%.

Advertisement

Hexens estimated the systemic risk at $70 billion, accounting for stablecoins, cross-chain bridges, and DeFi protocols built on or connected to Aptos. Bridges are particularly sensitive targets because they hold pooled assets from multiple chains, meaning a single successful exploit can drain funds that originated elsewhere.

Polygon’s CTO Mudit Gupta independently reviewed the researchers’ proof-of-concept and validated their findings.

Aptos’s response and the dispute that followed

No user funds were lost during the incident. Aptos Labs moved from discovery to mainnet patch in hours.

Aptos disputed claims about the bug’s exploitability under actual mainnet conditions, arguing that real-world constraints would make a successful attack harder than the simulated environment suggested. That position sits in tension with Gupta’s independent validation of the proof-of-concept.

The public pull request on February 27 documented the technical fix and formalized the connection to Aptos’s bug bounty program, which offers rewards of up to $1 million for critical vulnerability disclosures.

What investors and builders should watch

The $70 billion systemic risk figure represents the maximum theoretical exposure if an attacker could chain together every vulnerable pathway simultaneously. A $3,000 server and a few hundred dollars per attempt is a low barrier for an adversary targeting a high-value network. Protocols that rely on Aptos for settlement, particularly cross-chain bridges, should treat this disclosure as a prompt to audit their own dependencies.

The Aptos bug bounty ceiling of $1 million for critical finds is competitive, but given that this particular bug carried a theoretical exposure in the tens of billions, a researcher who could have sold this vulnerability on a grey market for significantly more chose responsible disclosure instead.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Aptos fixes critical vulnerability that cost hundreds of dollars to exploit

Aptos fixes critical vulnerability that cost hundreds of dollars to exploit

A stale-cache bug in the Move VM threatened up to $70 billion in assets before a same-day patch stopped it cold

A blockchain that processes billions in daily transactions came within a few hundred dollars of a potential catastrophe. Aptos Labs patched a critical flaw in its Move virtual machine after security researchers demonstrated that a simulated attack could succeed nearly 90% of the time using nothing more than a modest server setup.

The vulnerability, a so-called stale-cache bug, was reported by blockchain security firm Hexens on February 25, 2026. Aptos deployed a fix to mainnet within hours, followed by a public pull request on February 27 that documented the patch and its relationship to the company’s bug bounty program.

What the bug actually did

The flaw sat inside the Move virtual machine, the execution environment that processes every smart contract on the network. The bug allowed an attacker to potentially hijack on-chain structs and authority resources, meaning someone could manipulate the core data structures that define who owns what on the blockchain.

Hexens researchers demonstrated proof-of-concept attacks using a server setup costing roughly $3,000, with individual attack attempts running into the low hundreds of dollars. The success rate in simulations hit nearly 90%.

Advertisement

Hexens estimated the systemic risk at $70 billion, accounting for stablecoins, cross-chain bridges, and DeFi protocols built on or connected to Aptos. Bridges are particularly sensitive targets because they hold pooled assets from multiple chains, meaning a single successful exploit can drain funds that originated elsewhere.

Polygon’s CTO Mudit Gupta independently reviewed the researchers’ proof-of-concept and validated their findings.

Aptos’s response and the dispute that followed

No user funds were lost during the incident. Aptos Labs moved from discovery to mainnet patch in hours.

Aptos disputed claims about the bug’s exploitability under actual mainnet conditions, arguing that real-world constraints would make a successful attack harder than the simulated environment suggested. That position sits in tension with Gupta’s independent validation of the proof-of-concept.

The public pull request on February 27 documented the technical fix and formalized the connection to Aptos’s bug bounty program, which offers rewards of up to $1 million for critical vulnerability disclosures.

What investors and builders should watch

The $70 billion systemic risk figure represents the maximum theoretical exposure if an attacker could chain together every vulnerable pathway simultaneously. A $3,000 server and a few hundred dollars per attempt is a low barrier for an adversary targeting a high-value network. Protocols that rely on Aptos for settlement, particularly cross-chain bridges, should treat this disclosure as a prompt to audit their own dependencies.

The Aptos bug bounty ceiling of $1 million for critical finds is competitive, but given that this particular bug carried a theoretical exposure in the tens of billions, a researcher who could have sold this vulnerability on a grey market for significantly more chose responsible disclosure instead.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.