Written by: Oliver Knight
Translated by: Chopper, Foresight News
A server worth $3,000 was enough for a blockchain security researcher to simulate an attack path, which they stated could put up to $70 billion worth of crypto infrastructure at risk.
The protagonist of this vulnerability incident is the public blockchain Aptos, which is based on the Move language derived from Meta's abandoned Diem stablecoin project.
In late February, researchers from the security company Hexens reported a high-risk vulnerability in the Aptos Move virtual machine to the Aptos development team; this virtual machine is responsible for executing on-chain smart contracts. The essence of the vulnerability was a type confusion defect triggered by cache invalidation: attackers could manipulate the cache to deceive the system into identifying one type of on-chain resource as another.
After receiving the vulnerability report, the Aptos team completed the deployment of patches across the network, without any incidents of user assets being stolen throughout the process.
A spokesperson from Aptos responded to CoinDesk, "On February 25, we received the report of this potential risk through our bug bounty program, and at that time, we had already commenced an internal vulnerability investigation. The team confirmed the vulnerability and completed the fix, testing, and deployment to the mainnet within hours, with no harm to users or funds." However, the official response also raised objections to the actual exploitability of the vulnerability, stating that internal analysis indicated the vulnerability was nearly impossible to exploit in a real online environment. Nevertheless, the details of the vulnerability disclosed by the security team revealed that the entire cryptocurrency industry had narrowly escaped a significant security disaster that could have reshaped the industry landscape.
The extreme risk of this vulnerability stems from the permission storage mechanism of the Move language: core protocol permissions such as minting rights, cross-chain bridge management rights, and lending market administrator rights are directly stored as on-chain resources. Once such permission resources are compromised, the risk will not be limited to a single protocol; all applications relying on those permissions will also collapse.
Researchers at Hexens provided a simple analogy: the harm from this vulnerability is equivalent to a major flaw emerging in Ethereum-based public chains, where an attacker’s contract could bypass type safety mechanisms and directly write to or manipulate the storage data of other smart contracts—where type safety is exactly the core protective barrier designed from the start of the Move language.
Polygon's Chief Technology Officer Mudit Gupta independently verified the vulnerability demonstration package, confirming the attack process was legitimate: "The entire attack logic is entirely valid, and the demonstration was successfully reproduced; all the prerequisites for an attack in a mainnet environment can be satisfied." Security agency Grego AI also independently reproduced the vulnerability, and their calculations showed that approximately $250 million in native locked assets on the Aptos mainnet were directly exposed to risk, not including broader cross-chain risks.
$70 Billion Risk
This vulnerability was discovered by Vahe Karapetyan, co-founder and CTO of Hexens. If not promptly fixed, the vulnerability could allow for risk exposure across cross-chain bridges, stablecoins, various DeFi protocols, and centralized exchanges, potentially leading to losses in the hundreds of billions, causing a crisis for the entire industry.
The entire attack environment could be set up with just a $3,000 server, and malicious hackers could carry out the attack without needing a complete simulated cluster, with costs amounting to just hundreds of dollars, and without needing to control validation nodes, possess internal information, or obtain high-level protocol permissions.
The research team conducted about 20 rounds of attack simulations in a simulated mainnet environment, successfully accomplishing 17 to 18 attacks. The remaining 2 to 3 failures did not cause network downtime; attackers could retry repeatedly until they broke through. The simulated cluster replicated the complete environment of a real mainnet: building over 30 validation nodes, restoring realistic staking distributions, and replicating daily transaction traffic and block congestion scenarios. The team also employed a non-attack pre-calibration technique, measuring the memory pool and block packaging operating state before formally launching the attack, significantly reducing the uncertainty brought by randomness and greatly improving the success rate in practice.
Hexens estimated based on publicly available on-chain data that the direct risk exposure of just the Aptos native DeFi, tokenized assets, stablecoins, and liquidity staking protocols reaches several billion dollars.
And the risk from underlying vulnerabilities of public chains is never limited to a single public chain. When considering exposure from cross-chain bridges, cross-chain communication protocols, stablecoin issuance routes, centralized exchanges, etc., the overall systemic risk is estimated to reach as high as $70 billion. Grego AI CEO Justus Hanna stated that attackers could use this vulnerability to seize core management permissions of mainstream cross-infrastructure like LayerZero, Wormhole, and the Cross-Chain Transfer Protocol (CCTP), theoretically allowing them to empty all associated locked funds.
This simulation test is sufficient to prove that hidden vulnerabilities at the bottom of public chains can bring about devastating industry risks.
If hackers were to exploit this vulnerability to launch a real attack, the scale of losses would far exceed last year's $1.5 billion theft from Bybit exchange. Just in June, Zcash plummeted 38% due to a high-risk vulnerability that had been lurking in the privacy pool for four years; this vulnerability allowed attackers to mint counterfeit tokens indefinitely without being detected. Prior to this, several billion-dollar cross-chain bridge and smart contract theft incidents had continually shaken market confidence in infrastructure.
The $70 billion risk assessment is based on scenarios where attackers batch mint USDC and leverage Circle CCTP to cross over to multiple public chains. Theoretically, if an incident breaks out, Circle is likely to suspend USDC transfers, but Circle has previously stated that it would not freeze user assets without judicial authorization, leading to execution uncertainties. Even if related platforms implement urgent risk controls, the impact of this vulnerability would severely damage the entire crypto market.
The research team confirmed through the verification demonstration that the vulnerability could seize top-level management permissions within the cross-chain system, including minting control permissions, signing permissions, and protocol account control rights. They fully replicated the process of seizing control permissions, without actually minting tokens, but clearly demonstrated that this risk must be included in the security threat model. The main conduit for the vulnerability's transmission is the cross-chain channel connecting Aptos with centralized exchanges, through which attackers could alter the transaction recording data of exchange users.
Response and Disclosure
On the same day Hexens submitted the report, an emergency response team called "SEAL911" was formed, responsible for coordinating response measures. Hours after the formation of the response team, the project team received a complete report on the vulnerability. That afternoon, four core downstream projects received the vulnerability demonstration files and risk analysis of permissions simultaneously.
On February 27, the official code repository publicly released the fix submission records, and Aptos stated that private patches for validation nodes had been deployed before the public code went live. Meanwhile, Hexens stated that they had not received any data-supported technical rebuttal from Aptos, who only cited a probabilistic threshold for the attack's occurrence.
Although no funds were stolen, the simulation results indicated that during blockchain-level attacks, traffic restrictions, frozen issuing institutions, cross-chain controls, exchange monitoring, and validator patches are not secondary security measures. They directly determine whether the vulnerability constitutes a minor localized incident or a systemic collapse of the entire industry.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。