In February 2026, the security company Hexens discovered a flaw in the core component of Aptos, a high-performance Layer 1 based on the Move language, during routine research on the Aptos ecosystem. This defect could rewrite industry risk perceptions. The root of the problem lies in flaws in the cache processing within the virtual machine, which could lead to type confusion under specific conditions that attackers could theoretically exploit to bypass the expected security boundaries of contracts, directly touching on the core logic of on-chain assets. According to Hexens' assessment, the exposure of this vulnerability extends beyond a single contract or application, spreading to anchor assets relying on Aptos, cross-chain bridges, and a series of key on-chain infrastructures, totaling about $70 billion in digital assets exposed to the same potential attack surface. More disturbingly, exploiting this flaw does not require validator permissions or insider operational knowledge. After confirming the risk, Hexens followed white-hat practices and submitted a detailed technical path privately to the Aptos team, which completed repairs and patch deployment within hours of receiving the report, potentially sealing off attack vectors before the issue was made public. Throughout the process, there were no records of malicious exploitation or financial loss. A few weeks later, as Hexens and Aptos publicly disclosed the events and the theoretical scale of the risk, this near miss of a security incident involving $70 billion was gradually regarded by the industry as a thrilling but ultimately successful infrastructure security stress test, rather than a systemic disaster that had already occurred.
Invisible vulnerabilities under scrutiny: Cracks in Move VM
What truly made this event thrilling was not that attack scripts were already on the way, but that the vulnerability itself had long existed within the Move virtual machine under the guise of "low-level optimization." The issue lay in the cache processing logic: on certain execution paths, the Move VM had flaws in type checking of cached data, which could, under specific conditions, cause type confusion, blurring the boundaries between resources and data that were otherwise strictly isolated at the language level during the lower execution phase. Many security audits tend to focus on contract business logic and permission design layers; such VM-level details are not easily reachable and are hard to expose through conventional functional testing, which is why it remained invisible within Aptos's core execution component until February 2026.
Researchers at Hexens sensitively detected this anomaly during a security audit of the Move VM: they noticed that under certain types of contract interactions, the type handling behavior of the virtual machine deviated from design expectations. Only after further analyzing the cache read/write paths did they confirm that this was a structural flaw that could evolve into type confusion. After validating the feasibility of the risk and confirming that the issue was not an edge case, Hexens, adhering to white-hat industry conventions, immediately contacted the Aptos team privately to submit technical details and risk assessments. Even more concerning, Hexens explicitly pointed out that exploiting this vulnerability does not require validator permissions or internal operational information, and if someone independently arrived at the same technical conclusion, the barrier to entry would not be much higher than for ordinary contract attacks. This is why an invisible crack buried at the lower level could, once exposed by white hats, immediately be regarded as a core threat to the security boundary of $70 billion.
$70 billion in assets on the cliff's edge
When Hexens and Aptos internally reassessed the asset landscape of this chain, the official statement about the "theoretical exposure of about $70 billion in digital assets" underpinned a complete set of infrastructure factored into the risk radius: all contracts running on Move VM—from accounting tokens anchored to fiat currencies, to cross-chain bridges hosting assets from other chains, to positions and liquidation logic in protocols like lending, borrowing, and trading—shared the same virtual machine execution environment. According to Aptos's assessment, the value managed by these Move contracts is dispersed across different applications and addresses, but it could be consolidated into a single "asset pool that could be affected if the VM is breached" within the risk model, which reveals the disturbing on-chain distribution structure behind the $70 billion figure.
More critically, this is not a business bug within a single protocol, but a cache processing defect directly affecting the Move VM itself. Once used to create type confusion, an attacker could theoretically "walk side by side" with any contract's execution process without holding validator permissions, rewriting what is considered an immutable state at the lower level. The systemic nature of this risk lies in the fact that it breaks the entire execution trust boundary of Aptos: when an application is breached, it often only implicates its own users and funds; however, a VM-level vulnerability could potentially drag all assets and infrastructure reliant on Move down to the cliff's edge. Fortunately, before the patch was issued, this defect did not emerge with malicious exploitation or cause any recorded financial loss, but it exposed the structural reality that high-performance public chains cannot have upper-layer agreements remain unaffected once the lower-level falls.
Hours to seal the breach: Aptos team's emergency response
At the moment when Hexens privately submitted the Move VM cache defect to Aptos, the entire incident entered an extremely tight concentrated response window. The Aptos team did not view it as a piece of "debt that could be scheduled," but instead immediately opened an emergency channel, completing the development and deployment of the patch within hours of receiving the report, effectively sealing potential entry points for type confusion at the lower virtual machine level. This process did not escalate into widespread stalling on-chain, nor were there any publicly reported cases of asset theft or protocol paralysis, and while the risk remained at the "theoretical exposure" stage, it was pushed back into the internal execution environment.
During these hours, the collaboration between white hats and the official team basically followed the most valued responsible security practices in the industry: reporting privately first, followed by public disclosure of technical details once fixes were completed. Hexens chose to disclose the nature and scope of the incident publicly in February 2026 only after confirming that Aptos had completed the repairs, converting the previously invisible $70 billion level potential risk into a lesson on infrastructure security that the entire industry could review. Without this rapid sealing, upper-layer settling assets and cross-chain bridges reliant on Move may have faced systemic attack attempts unprepared, making this few hours of sealing action a decisive stress test node in Aptos's security narrative.
The shadow of infrastructure security: The cost of high-performance public chains
What Hexens revealed this time was not a business logic flaw in a DeFi protocol, but a defect embedded directly within Aptos's infrastructure—the Move virtual machine. As a high-performance Layer 1 pursuing high throughput and low latency, Aptos entrusts almost all on-chain state updates to the Move language and its VM execution logic. The risk of type confusion due to cache processing means that not just a single contract could be compromised, but the "execution environment itself" is shaky at the edges. Application layer bugs typically only affect that specific contract and its liquidity pool, whereas VM-level vulnerabilities could theoretically penetrate all dependent contracts and assets, leading to the previously underestimated $70 billion level exposure estimate.
From an industry perspective, this type of infrastructure-level risk has long been in a gray area of auditing and investment. Project teams commonly conduct third-party audits for popular application contracts and cross-chain bridge scripts but rarely apply the same rigor to continuous formal verification and attack surface modeling for compilers, virtual machine caches, and execution engines, especially for new languages and environments like Move. Everyone verbally acknowledges that white-hat audits and underlying security are key means to reduce systemic risks, but resource allocation is often swayed by traffic and functional iteration, until core components like the Aptos Move VM expose flaws, which concretizes the cost of high-performance public chains into a clear lesson: if the infrastructure itself is not verified with equal rigor, no matter how beautiful performance metrics are, they can only be built on thin ice that could be torn at any moment.
From this thrilling pass, observe the future security games
This time, while the high-risk flaw of Move VM theoretically pointed to an exposure of about $70 billion, it did not result in a single cent of loss; as of July 5, 2026, it is still classified as a "successfully resolved" infrastructure security event. This itself is a stress test of the collaborative ability between white hats and project teams. Hexens chose to follow a responsible disclosure path after discovering the issue, and the Aptos team completed repairs and patch deployment within hours, collaboratively compressing a potential systemic incident into a technical alert made public afterwards, while also embodying the principle that "the underlying execution environment must be prioritized for protection" into a case that the industry can repeatedly reference. The magnitude of the risk exposure and the range of affected areas, covering key infrastructures such as anchor fiat currency assets and cross-chain bridges, sensitizes the market to the reality that the prosperity of public chain ecosystems is binding more upper-layer applications’ fate to the security of virtual machines and execution environments. High performance is no longer just a number on performance tables but a continuous test of security engineering rhythms. Moving forward, it is worth observing not only whether public chains like Aptos prioritize their rhythm in auditing core components, version iterations, and security upgrades, but also whether the vulnerability disclosure system becomes more transparent, whether bounty programs are more targeted, and whether investments in infrastructure security increase as a result of this incident. These variables will determine whether the next similar risk is resolved equally swiftly or recorded as a true disaster by the market.
Join our community to discuss and become stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。



