A pair of ethical hackers just demonstrated that a $3,000 server setup was all it took to potentially compromise one of crypto’s most well-funded Layer-1 blockchains. The vulnerability they found in Aptos’ Move virtual machine carried an estimated systemic risk of $70 billion, spanning stablecoins, DeFi protocols, cross-chain bridges, and centralized exchange pathways.
A $3,000 attack vector with 90% odds
Blockchain security firm Hexens discovered what they call a “stale-cache bug” in Aptos’ Move VM on February 25, 2026. A flaw in the virtual machine that executes smart contracts on Aptos allowed for a type-confusion vulnerability, essentially tricking the system into misidentifying data types. This kind of confusion could let an attacker hijack critical on-chain resources, including minting permissions and bridge control systems.
When Hexens simulated the attack, the results were sobering. Using a server setup costing roughly $3,000, they achieved a success rate nearing 90%, hitting 17-18 out of 20 simulated attempts.
Polygon CTO Mudit Gupta independently validated the vulnerability’s proof-of-concept, lending additional credibility to Hexens’ findings.






