Hexens: Aptos has Fixed a Critical Move VM Vulnerability, with Theoretical Maximum Risk Exposure of Approximately $70 Billion
Odaily Planet Daily News Blockchain security company Hexens has disclosed that it discovered a critical vulnerability in the Move Virtual Machine (Move VM) of the Aptos blockchain in February of this year. The vulnerability was fixed within hours of the report, with no funds lost. Hexens stated that the vulnerability stemmed from a cache handling defect, which could lead to a type confusion vulnerability. An attacker could theoretically exploit this to gain high-privilege roles such as stablecoin minting, cross-chain bridges, and DeFi protocols. The research team used a server costing approximately $3,000 to build a simulation environment close to the mainnet, testing the exploit path about 20 times, succeeding roughly 17 to 18 times. They assessed that the vulnerability could potentially impact approximately $250 million in Aptos native TVL; if it further affects infrastructure such as cross-chain bridges, stablecoins, and centralized exchanges, the theoretical systemic risk exposure could reach up to approximately $70 billion. Aptos stated that the exploitability of the vulnerability in a real-world environment is extremely low and that it was promptly fixed through its bug bounty program, with no impact on any users or funds.
