How ethical hackers with just a $3,000 server found a flaw that could’ve put $70 billion in crypto at risk

The Aptos spokesperson also disputed the practical exploitability of the bug to CoinDesk. “Our analysis determined the bug would have extremely low exploitability in real world conditions.”

However, the details of what researchers found offer a sobering look at how close the ecosystem came to a potentially industry-altering event.

The sensitivity of this class of bug comes down to how the Move language handles authority. Protocol permissions in Move, including the right to mint a stablecoin, control a bridge, or administer a lending market, are often stored directly as onchain resources. If those resources are compromised, the damage does not stop at one protocol. It extends to everything that trusts them.

Hexens’ researchers offered a practical analogy to the bug: it is roughly comparable to a bug on an Ethereum-style chain that would allow attacker-controlled code to write into storage belonging to other contracts, bypassing the type-system guarantees that Move was specifically designed to uphold.

Mudit Gupta, CTO at Polygon, independently reviewed the proof-of-concept materials and said the exploit held up. “It ran as claimed, and the exploit made sense,” he told CoinDesk. “It required a few conditions to be met, which it seems like they did on the mainnet.”

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *