A $3,000 server nearly shook $70 billion in on-chain assets
I just came across a CoinDesk report, and my back went a little cold.
Researchers at the security firm Hexens used an ordinary server configured with a $3,000 setup to find a fatal vulnerability on the Aptos blockchain. The attack success rate was nearly 90%, and it could simulate about 1/3 of the validator network. In theory, it could threaten up to $7 billion worth of on-chain assets.
The flaw comes from an outdated cache bug in the Move virtual machine. It can lead to type confusion, allowing an attacker’s code to write directly into the storage area of other contracts. What does this mean? Once stablecoins, cross-chain bridges, and DeFi protocols are compromised, it can trigger a chain-reaction collapse. Even Move, a language known for type safety, may be bypassed at the VM implementation level.
Fortunately, this time was a white-hat effort. Reported through the bug bounty program on February 25, the patch was deployed to the mainnet within a few hours, with no real loss incurred. Aptos officials acknowledged the vulnerability, but they were cautious about the $70 billion figure of affected assets. Polygon CTO Mudit Gupta independently verified the PoC’s effectiveness, indirectly confirming the severity of the flaw.
This is a wake-up call for ordinary users:
1. Even a new-generation L1 known for security, the core security still depends on implementation details—not just language design.
2. Diversifying assets across different chains and protocols is always the dumbest—but most effective—way to reduce systemic risk.
3. Pay attention to whether a project has an active bug bounty program and how quickly it responds. Aptos fixed this issue within hours, which is a positive signal of mature security governance.
At present, the publicly available sources mainly come from CoinDesk. Hexens and Aptos’s official announcements have not been released yet, so the completeness of the information needs verification. But regardless of whether the final number is $7 billion—or even if it’s discounted—the low-cost, high-threat attack path is something the entire Move ecosystem should be on guard against.
Disclaimer: This is for information compilation and logic review only and does not constitute investment advice. The market involves risk—please do your own research.
$BTC $ETH $BNB #on-chain security
I just came across a CoinDesk report, and my back went a little cold.
Researchers at the security firm Hexens used an ordinary server configured with a $3,000 setup to find a fatal vulnerability on the Aptos blockchain. The attack success rate was nearly 90%, and it could simulate about 1/3 of the validator network. In theory, it could threaten up to $7 billion worth of on-chain assets.
The flaw comes from an outdated cache bug in the Move virtual machine. It can lead to type confusion, allowing an attacker’s code to write directly into the storage area of other contracts. What does this mean? Once stablecoins, cross-chain bridges, and DeFi protocols are compromised, it can trigger a chain-reaction collapse. Even Move, a language known for type safety, may be bypassed at the VM implementation level.
Fortunately, this time was a white-hat effort. Reported through the bug bounty program on February 25, the patch was deployed to the mainnet within a few hours, with no real loss incurred. Aptos officials acknowledged the vulnerability, but they were cautious about the $70 billion figure of affected assets. Polygon CTO Mudit Gupta independently verified the PoC’s effectiveness, indirectly confirming the severity of the flaw.
This is a wake-up call for ordinary users:
1. Even a new-generation L1 known for security, the core security still depends on implementation details—not just language design.
2. Diversifying assets across different chains and protocols is always the dumbest—but most effective—way to reduce systemic risk.
3. Pay attention to whether a project has an active bug bounty program and how quickly it responds. Aptos fixed this issue within hours, which is a positive signal of mature security governance.
At present, the publicly available sources mainly come from CoinDesk. Hexens and Aptos’s official announcements have not been released yet, so the completeness of the information needs verification. But regardless of whether the final number is $7 billion—or even if it’s discounted—the low-cost, high-threat attack path is something the entire Move ecosystem should be on guard against.
Disclaimer: This is for information compilation and logic review only and does not constitute investment advice. The market involves risk—please do your own research.
$BTC $ETH $BNB #on-chain security
