the coinformer
Contact About
Live 5m

"The worst kind of bug possible on a chain." Fixed Aptos bug could have let hackers move funds without permission

Researchers found a critical Aptos bug that could have let attackers drain funds, seize contract powers and even affect assets beyond Aptos itself.

Egor Komarov/Unsplash/Glitch

Hexens, the blockchain security firm, disclosed a critical bug in Aptos that it says could have let hackers change blockchain records they were never supposed to control.

  • Aptos is a Layer-1 blockchain developed by former Meta employees who worked on Libra, Facebook's crypto project that was later renamed Diem and eventually shelved after regulatory pushback.
  • It uses Move, the programming language built during that era for handling tokens.

The bug, which Hexens described in a July 4 research report, was inside the Aptos Move VM, the core system that runs smart contracts on Aptos. Hexens marked the issue as critical and said affected versions included 1.41.5, the latest version at the time of the report.

Per the findings, Aptos could mix up what belonged to whom
The chain uses internal shortcuts to remember which data belongs to which account or app. But Hexens said one cleanup process could erase part of that memory while leaving another part behind.

After that, an attacker's fake object could end up pointing to someone else's real data. The attacker could change their own object, while the chain wrote that change into a victim's records.

  • In Hexens' proof-of-concept, a dummy balance field inside a test vault was changed from 42,424,242 to zero, even though the attacker "never had access" to the victim's vault type.

Mudit Gupta, Polygon Labs' chief technical officer, called it "the worst kind of bug possible on a chain" in an X post and said an arbitrary state-write bug could put "stablecoins, LSTs, everything" at risk.

"Not only everything on the affected chain can be stolen but also most assets across all chain can be stolen. Your stablecoins, LSTs, everything."

Mudit Gupta

As Hexens claims, the bug could have enabled direct fund theft, stolen admin powers, forged bridge messages through LayerZero, Wormhole and Circle CCTP, and unlimited minting risks for USDC and USDT on Aptos.

  • Hexens says the bug was privately disclosed to the Aptos team on February 25. A public pull request appeared on February 27, and Hexens said Aptos had already deployed a private validator patch before the public fix appeared.
👀 5