Picture of the author

数链先行

07/06 14:40

Ethical Hackers Found a Way to Break a $70 Billion Blockchain - With a $3,000 Budget...

Turns out you don't need a nation-state budget to threaten a multi-billion dollar blockchain. You need about $3,000 and a very good weekend. That is the uncomfortable lesson from a disclosure that went public on July 4, when security firm Hexens revealed a critical flaw it found in Aptos back in February. The bug lived inside the Move virtual machine, the engine that runs every smart contract on the chain, and it was serious enough that Hexens put the first-order systemic risk at roughly $70 billion. For a network that markets itself on speed and safety, that is not a number anyone wants attached to their name. The good news, which we will get to, is that no funds were ever lost. The bad news is how little it would have taken to change that.

The story matters because Aptos is not some abandoned testnet. It is a top-tier layer-1 with real stablecoins, real bridges, and real money parked in its ecosystem. When a researcher tells you a flaw could have reached that much value, they are not just talking about tokens sitting in wallets. They are talking about the plumbing that connects Aptos to the rest of crypto. And the people who found this did it on a budget that would not cover a decent gaming PC.

What they actually found

Hexens described the issue as a "stale-cache bug" that led to a type-confusion vulnerability. In plain terms, that means the software could be tricked into treating one kind of on-chain resource as if it were a completely different one. If you have ever handed someone the wrong key and watched them open a door they were never supposed to touch, you get the general idea. According to the firm, the flaw let an attacker potentially hijack on-chain structs and authority resources, which are the core data structures that decide who owns what and who is allowed to do what. Mess with those, and the normal rules about ownership stop meaning very much.

Type confusion is one of those bug classes that sounds academic until it is pointed at real money. It has haunted traditional software for decades, and the Move language was specifically designed to make this sort of thing hard to pull off. That is part of why this disclosure stings a little. The whole selling point of Move is that it treats digital assets as a special resource the compiler guards closely, so seeing a type-confusion flaw surface in Aptos is a bit like finding a leak in the one boat everyone promised was unsinkable.

The scary part: It took $3,000 to make it happen

Plenty of blockchain exploits require deep pockets, insider access, or control of a big chunk of the network. This one, allegedly, did not. Hexens says it simulated the attack under real network conditions with a success rate above 90 percent, using a server setup that cost around $3,000 and stood in for roughly a third of the validator set. No special permissions, no insider help, no cooperation from anyone already inside the system. That combination is what turns a technical curiosity into a genuine emergency, because it means the barrier to entry was almost nothing. When the cost of breaking something is measured in hundreds or low thousands of dollars and the prize is measured in billions, you are relying entirely on nobody else noticing first.

Where the $70 billion number comes from

A $70 billion figure sounds almost cartoonish for a chain whose own token market cap is a fraction of that, so it is worth explaining. Hexens was not claiming $70 billion sits directly on Aptos. The estimate covers everything the flaw could have reached through the connections crypto has quietly built over the last few years. That includes value moving across bridges, cross-chain messaging systems, stablecoin administration flows, and assets custodied by centralized exchanges that touch the network. Modern crypto is stitched together, and a hole in one important chain does not stay politely contained to that chain. That is the real warning here, and it applies to a lot more than just Aptos.

The quiet fix nobody heard about until now

Here is the part that keeps this from being a horror story. Hexens reported the flaw through Aptos Labs' bug bounty program on February 25, and the team says a fix was developed, tested, and pushed to mainnet within hours of discovery. An Aptos spokesperson told CoinDesk that no users or funds were impacted at any point, and the details were only made public months later, which is exactly how responsible disclosure is supposed to work. The researchers got paid, the hole got patched before anyone with bad intentions found it, and the wider world found out once it was safe to talk about.

Still, it is worth sitting with what almost happened. A flaw that could have rippled across $70 billion in connected value was closed off by a bug bounty and a fast engineering response, not by luck at the moment of attack. If white-hat researchers had not gotten there first, this would read very differently. The lesson for anyone holding crypto is not to panic about Aptos specifically, which is now patched, but to notice how much of this industry's safety still depends on a small group of ethical hackers choosing to send an email instead of draining a wallet. That is a thin line to be standing on, and it is worth remembering the next time a chain tells you it is unbreakable.

---------------

Author: Dorian Fenwick Silicon Valley NewsroomBreaking Crypto News

Subscribe to GCP in a reader
#HTX Invites You to Share 600K USDT in Gift Packs#World Cup Predictions: 100,000 USDT Daily#HTXCommunity4thAnniversary
1Bagikan

Semua Komentar0TerkiniHangat

avatar
TerkiniHangat