Aptos Network Vulnerability Exposed $70 Billion to $3,000 Attack
- The flaw allowed control over roles that authorize the issuance of stablecoins like USDC.
- Researchers found that between 17 and 18 out of every 20 attack attempts were successful.
A critical flaw in the Aptos network was corrected last February, after the security firm Hexens demonstrated that this vulnerability could expose up to $70 billion in funds within the Aptos ecosystem to an attack costing only $3,000, the amount researchers mentioned for renting a server with the power of a desktop computer. The fix was applied before the flaw could be exploited, so no users lost money.
Although the discovery and its correction occurred in February, the complete technical details and proof of concept (PoC) from Hexens were only made public this week when Hexens and the Aptos team released them.
Hexens stated that in every 20 attempts to simulate the attack, between 17 and 18 ended successfully in a test environment with over 30 nodes (the computers that verify and confirm operations within the network). The Aptos team confirmed on July 4 through a media outlet that the discovery was reported on February 25 via a bug bounty program, and the correction was developed, tested, and deployed on the main network afterward.
The error originated in the Move virtual machine (MoveVM), the program that executes the code of smart contracts within Aptos to carry out network operations, designed under the Move programming language. This program, in turn, organizes the data of each contract into structures, the way MoveVM stores, for example, the balance of an account or the administrative permissions of a protocol.
The system keeps an identification number for each of these structures in temporary memory, to avoid repeating the same process in each operation. The problem arose when the system emptied part of that memory to free up space, but not all of it: the number identifying a structure could mistakenly remain associated with the data of another completely different one. This is known as type confusion, an error in which the program ends up treating the information of one account as if it belonged to another.
With this error, as described by Hexens in their technical report published on July 6, an attacker could take over master administrator roles, the function that authorizes the issuance of a stablecoin, or signing capabilities that control the handling of funds within a contract. Researchers claimed to have taken control of a master administrator role and reached the step prior to authorizing an issuance, without executing it.
The Hexens team also noted that the flaw reached the routes connecting Aptos with bridges between networks, such as those operated by Wormhole and LayerZero, and with the protocol used by Circle to move its stablecoin USDC between different networks, known by its English acronym CCTP (Cross-Chain Transfer Protocol).
According to Hexens, an attacker could also force a complete emptying of those temporary memories (caches) after an attempt, whether successful or failed, to leave no trace of the manipulation. This partly explains why the firm insists that failed attempts did not stop the network or expose the ongoing attack.
Additionally, Hexens researchers compared the problem to an equivalent scenario in an Ethereum-based network, where code under the control of an attacker could write directly over the storage space of another contract, bypassing the guarantees of the type system that Move was specifically designed to uphold.
Hexens reported the flaw following the practice of responsible disclosure, meaning they notified Aptos privately before publishing any details publicly. An emergency room coordinated by SEAL911, a voluntary response network that various projects in the sector use to coordinate reactions to serious security incidents, was also activated.
The Aptos team, for its part, rated the practical exploitability of the flaw as "extremely low." This assessment contrasts with the success rate of between 17 and 18 out of every 20 attempts that Hexens claimed to have achieved in their simulations, and also with independent reviews from two third parties: Mudit Gupta, CTO of Polygon, stated that the proof of concept worked as described, while the firm Grego AI estimated the direct risk to Aptos's native assets at $250 million, a figure significantly lower than the $70 billion that Hexens estimated for the broader ecosystem impact.
Finally, Charles Guillemet, CTO of Ledger, indicated that such findings, with complete traces of the virtual machine and two functional proof of concepts, previously required months of work from a specialist and today, with artificial intelligence tools, are faster and cheaper to produce. According to his reading, if security teams can now go through every line of code and build a functional attack at low cost, it is reasonable to assume that groups of attackers, including those linked to North Korea like Lazarus, have similar capabilities.
