A blockchain that processes billions in daily transactions came within a few hundred dollars of a potential catastrophe. Aptos Labs patched a critical flaw in its Move virtual machine after security researchers demonstrated that a simulated attack could succeed nearly 90% of the time using nothing more than a modest server setup.

The vulnerability, a so-called stale-cache bug, was reported by blockchain security firm Hexens on February 25, 2026. Aptos deployed a fix to mainnet within hours, followed by a public pull request on February 27 that documented the patch and its relationship to the company’s bug bounty program.

What the bug actually did

The flaw sat inside the Move virtual machine, the execution environment that processes every smart contract on the network. The bug allowed an attacker to potentially hijack on-chain structs and authority resources, meaning someone could manipulate the core data structures that define who owns what on the blockchain.

Hexens researchers demonstrated proof-of-concept attacks using a server setup costing roughly $3,000, with individual attack attempts running into the low hundreds of dollars. The success rate in simulations hit nearly 90%.