- Hexens found a serious flaw in Aptos that was fixed before any funds could be transferred.
- This flaw could allow an attacker to forge assets and push them across bridges.
- Aptos disputes how serious it is, but Polygon’s CTO is validating the proof of concept.
- This case revives the argument for circuit breakers on series L1s.
One of the security companies revealed that Aptos, One of the fastest layer-one blockchains, it carried a serious flaw for several months before it was quietly fixed. On July 4, Hexens publicly announced a bug that Aptos privately reported on February 25, a vulnerability in the engine that runs the chain’s smart contracts, which, by its own estimate, exposes up to $70 billion in theoretical risk across bridges, stablecoins, and connected exchanges. Aptos Labs corrected this issue within hours of the first report, and user funds were not compromised at all.
So why is a five-month-old patch making news now? Two reasons. The number is clear. But also the details underneath: The hardest thing Aptos markets is raw speed, and raw speed is exactly what turns $70 billion from a scary headline into a defensible estimate.
He boasted record production, one day after the story broke
On July 5, just 24 hours after the report was released, the project’s official account continued publishing it Scheduled monthly tokens updatewith a reported burn of 232,500 APT over the past 30 days, over 16 million single-day transactions to set a new quarterly high, and an average fee of $0.0005 after a tenfold fee increase, all under the banner of “The Full Stack of Markets and Machines in Action.” The post reads very differently once the Hexens reveal is in front of you, because the near-free transactions and massive throughput that Aptos touts are the same characteristics that a security researcher first weighs when calculating the actual cost of a single flaw at the heart of the chain.
Every transaction on Aptos is burned $APT. New month update:
• 232.5K APT burned in the last 30 days
• 1.4 million APT burned since mainnet
• +16 million single-day transactions – a new quarterly high
• $0.0005 average transmission fee since fee increased 10xThe full stack of markets and machines in action. pic.twitter.com/gPEuWzD1Qf
– Aptos (@aptos) July 5, 2026
The error was located below the code being examined in most audits
Aptos is built on Move, a programming language specifically designed to make this type of attack difficult. Move treats tokens and other digital assets as protected items and verifies, at the moment a transaction is triggered, that nothing is being treated as the wrong kind of thing. This promise of safety is a big part of the reason why both Aptos and Sui promote Move as safer than legacy environments.
Hexens has backed away from that promise rather than breaking it head-on. In simple terms, the system briefly worked on outdated information and ended up confusing one type of item in the chain with another. Security experts call this “type confusion,” an ancient software problem where software reads something as the wrong type and directly bypasses checks meant to stop it. In the case of blockchain, this confusion is dangerous: an attacker can disguise a malicious item as a legitimate one and trick the network into misreading who owns the asset and who is allowed to transfer it.
Polygon CTO Mudit Gupta independently reviewed the proof of concept and He told CoinDesk that it worked as claimedWith the caveat that some conditions must be met first. Coming from the head of security at a competing series, it carries more weight than anything Aptos or Hexens could say on their own.
Why cheap fees and huge volume make the error worse
Productivity stops being a marketing line here and starts acting as a risk multiplier. Hexens carried out the attack against a cluster of more than 30 verification nodes, set up to mirror the real network, on a server machine that costs about $3,000 and represents roughly a third of the verification toolkit. The program succeeded 17 or 18 times out of 20, without requiring internal access or special permissions.
Collapse the vivid shapes and the image becomes sharper. At a fraction of a cent per transaction, flooding the chain with malicious payloads is almost free. At 16 million transactions a day, with blocks confirmed in seconds, an attacker who can forge assets would only need a short window to create and transfer them before anyone reacts. Speed is neutral. The same engine that removes legitimate volume in seconds would remove fake mints and transfers at the same pace, and the humans running the network cannot react that quickly.
This is the part that was mistakenly emphasized in the burn metrics post.
Two very different numbers, and why this gap is important
This has resulted in two characters, and treating them as one is the way the story is distorted. The smaller amount is worth around $250 million, which is the value in Aptos DeFi applications that independent firm Grego AI deemed to be directly at risk. The largest is $70 billion, and only shows up once the bug is traced outward through cross-chain bridges like Wormhole and LayerZero, stablecoin systems, and exchanges that trade APT and its wrapped versions.
Bridges are the soft spot. They collect assets from several chains at once, so a counterfeit asset event that starts on Aptos could, in the worst case, drain the funds that originally came from Ethereum. The $70 billion total is a worst-case scenario based on a set of assumptions, not cash that was there for the taking in one clean move.
| appearance | What it represents | source |
|---|---|---|
| 250 million dollars | The value in Aptos DeFi applications is directly at risk | Greek Amnesty International |
| $70B | Worst systemic risk across bridges, stablecoins and exchanges | Hexenes |
| $3000 | The server cost for simulating is approximately one-third of the validators | Hexenes |
| Million dollars | Maximum bug bounty payout level at Aptos | Aptos bug bounty program |
Aptos Labs does not dispute the report itself. The February 25 notification confirms the bug bounty program and says the issue has already been worked on internally. What they object to is their severity, arguing that real network conditions make performing an exploit much harder than the test setup suggests, and putting real-world exploitability at a “very low” level. This claim extends directly to Gupta’s independent endorsement, and the two positions have not been publicly reconciled.
There is a second gap that deserves attention, and it relates to incentives, not symbols. The maximum reward is $1 million. Exploiting this type would fetch exponentially more than that on the black market, Hexens revealed anyway, and that’s the point of bounty management.
| Read the systemic threat | Read flexibility |
|---|---|
| A $3,000 setup can threaten the first layer of the first layer | It was fixed within hours, without network interruption |
| Fundamental error refers to the class risk for transportation chains | Aptos says real-world conditions made exploitability extremely low |
| One drawback could be access to bridge assets and stablecoins | The bonus led the white hat result on the sell |
What the APT chart does while the discussion is ongoing
This was mostly ignored by traders. On the 4-hour Aptos/USD chart from Coinbase, Withdrawn via TradingView, APT traded near $0.635 on July 7, settling above its 50-period moving average at $0.6061 and its 100-period moving average at $0.6147, while reaching the 200-period moving average at $0.6410 as general resistance. The moving average is just the average of the closing price above several candles, and this chart indicates a real bounce that has yet to clear the larger downtrend, one that pulled the APT from around $1.00 in mid-May to around $0.55.

The Relative Strength Index, a measure of buying pressure that ranges from 0 to 100, sat at 58.77, above the neutral 50 mark but not near the 70 line that indicates an overheated market. CoinMarketCap APT was up 9.91% on the week at $0.6339, so the disclosure appears to be a drag on sentiment rather than a catalyst for true selling.
A fix that outlasts this news cycle
Builders bear the burden in the near term. Anyone running an application on Aptos has reason to double-check how their code handles the kind of edge case Hexens found, and larger investors can hold a slightly higher risk premium on Move-based tokens like APT and SUI while taking another look at the network’s foundations.
However, there are two things that are likely to persist after the coverage fades. The first is the bonus cap. The $1 million cap looks increasingly small compared to the value it is intended to protect, and projects competing with black market buyers may have no choice but to raise it. The second is a shift in the question researchers are actually asking. For years bragging rights revolved around the number of transactions a chain could complete. This incident pushes the focus toward the opposite skill: how quickly the network shuts itself down. Fast chains increasingly need automatic “kill switches” that freeze cross-chain transfers the moment something looks wrong, because once a human notices, the transactions have already taken place.
Aptos is about to perform this experiment on itself. The proposal to hide transaction details until after they are confirmed, which would make front-end operation more difficult, is already moving through a community vote, while other upgrades seek to achieve faster confirmation times. Each of these things adds speed and adds value to the stake, the same combination that the Hexens revelations showed can turn a single mistake into a systemic error. Whether Move’s next moment of safety counts as reassurance or a repeat comes down to one thing: whether those upgrades come with the kind of built-in safeguards that this episode demonstrated.





