White Hats Found an Aptos Bug That Could Have Reached $70 Billion in Crypto
• July 5, 2026 2:20 pm • CommentsAptos just got a security disclosure that should make every serious crypto operator look twice at base-chain assumptions.
The good news is simple. The bug was patched, Aptos says no users or funds were impacted, and the disclosure came through white-hat channels.
The harder part is the scale of what researchers say could have been exposed if the wrong people had found it first.
Security firm Hexens disclosed a critical Aptos Move VM flaw tied to a stale cache and type confusion. The issue sat in the execution layer that helps process Move smart contracts on the network.
The July 4 CoinDesk account starts with the practical shock: Hexens researchers simulated an Aptos attack path with a success rate around 90%, using infrastructure that cost about $3,000.
The simulation approximated real network conditions, including validator distribution, organic transaction traffic, and heavy execution contention. CoinDesk placed the test inside a broader emergency-disclosure timeline that began on February 25, 2026.
Aptos patched the issue, and CoinDesk included the company’s position that no users or funds were impacted. Aptos also argued that real-world exploitability was extremely low, which is an important part of the record.
The severity comes from the authority sitting behind onchain resources. CoinDesk tied Hexens’ broader risk estimate to stablecoin administration, bridges, cross-chain messaging, DeFi permissions, and exchange-connected paths rather than a single isolated app.
Hexens assessed broader first-order systemic risk near $70 billion. That figure is an estimate of exposure, not a claim that $70 billion was actually stolen or guaranteed to disappear.
It still puts the disclosure in a different category from a routine smart-contract bug. A chain-level execution flaw can reach the permissions that other systems trust.
An arbitrary state write bug in Aptos chain was disclosed by @hexens today.
This is the worst kind of bug possible on a chain.
Why? Not only everything on the affected chain can be stolen but also most assets across all chain can be stolen.
Your stablecoins, LSTs, everything
— Mudit Gupta (@Mudit__Gupta) July 5, 2026
The technical writeup from Hexens describes the vulnerability as an arbitrary-struct hijack in the Aptos Move VM.
The firm centered the bug on a stale type-tag cache. In simple terms, the system could hold onto type information after a related cache path had been flushed, leaving validator execution open to storage-level type confusion.
Hexens said that class of bug could allow an attacker to hijack and overwrite arbitrary onchain structs. In Move, that is serious because resources and capabilities can represent permissions over tokens, bridges, vaults, and protocol administration.
The affected area was in Aptos’ Move runtime and global code-cache management path. That makes the issue part of the chain’s execution machinery, rather than a weakness inside one third-party application.
That distinction explains why the disclosure drew attention across the security community. If the base execution model can be confused about what a resource is, applications built on top of that model can inherit the danger.
The Hexens writeup also frames the impact around takeover of contracts and vault-draining scenarios. The published disclosure arrived after the patch path, which is why the article belongs in the postmortem category rather than the active-emergency category.
CryptoBriefing covered the same stale-cache vulnerability and described Aptos as having fixed a critical Move VM issue before any loss of funds.
Its coverage also highlights the same central tension: the attack simulation showed a high success rate with modest infrastructure, while the patched status means the public market is judging process, preparedness, and disclosure quality instead of a live exploit.
CryptoBriefing said Aptos deployed a mainnet fix within hours after the February report. It also noted that Aptos’ bug bounty program can reach a $1 million ceiling for critical vulnerabilities.
That bounty context matters as a severity marker. Teams do not put seven-figure ceilings around trivial bugs; they reserve that range for issues that can threaten core security assumptions.
The Aptos case also shows why crypto infrastructure depends on more than code audits at launch. Validator behavior, cache invalidation, bridge authority, stablecoin controls, and emergency response all become part of the same risk map.
For investors and builders, the clean takeaway is caution. A patched white-hat disclosure is far better than a live exploit, but it still reveals how much value can sit behind one execution-layer guarantee.
đź”’ Aptos Blockchain Flaw Found by Ethical Hackers
Ethical hackers discovered a critical flaw in the Aptos blockchain that could have put $70 billion in crypto at risk, according to Coindesk. The vulnerability, which has since been patched, gave researchers a near-90% success…
— Crynet (@crynetio) July 4, 2026
There is no evidence in the public reporting that funds were stolen. There is also no need to turn a simulated risk estimate into a claim of certain losses.
The bigger lesson is infrastructure discipline. Crypto’s visible apps often sit on invisible assumptions about type safety, cache behavior, validator timing, and cross-chain authority.
When those assumptions hold, the market barely notices them. When one breaks, even briefly and privately, the potential blast radius can be enormous.
Join the conversation!
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
