Hexens, the blockchain security firm, disclosed a critical bug in Aptos that it says could have let hackers change blockchain records they were never supposed to control.
- Aptos is a Layer-1 blockchain developed by former Meta employees who worked on Libra, Facebook's crypto project that was later renamed Diem and eventually shelved after regulatory pushback.
- It uses Move, the programming language built during that era for handling tokens.
The bug, which Hexens described in a July 4 research report, was inside the Aptos Move VM, the core system that runs smart contracts on Aptos. Hexens marked the issue as critical and said affected versions included 1.41.5, the latest version at the time of the report.
The chain uses internal shortcuts to remember which data belongs to which account or app. But Hexens said one cleanup process could erase part of that memory while leaving another part behind.
After that, an attacker's fake object could end up pointing to someone else's real data. The attacker could change their own object, while the chain wrote that change into a victim's records.
- In Hexens' proof-of-concept, a dummy balance field inside a test vault was changed from 42,424,242 to zero, even though the attacker "never had access" to the victim's vault type.
Mudit Gupta, Polygon Labs' chief technical officer, called it "the worst kind of bug possible on a chain" in an X post and said an arbitrary state-write bug could put "stablecoins, LSTs, everything" at risk.
Mudit Gupta
As Hexens claims, the bug could have enabled direct fund theft, stolen admin powers, forged bridge messages through LayerZero, Wormhole and Circle CCTP, and unlimited minting risks for USDC and USDT on Aptos.
- Hexens says the bug was privately disclosed to the Aptos team on February 25. A public pull request appeared on February 27, and Hexens said Aptos had already deployed a private validator patch before the public fix appeared.
