- Hexens found a critical flaw in Aptos that was patched before any funds moved.
- The bug could have let an attacker forge assets and push them across bridges.
- Aptos disputes the severity, yet Polygon’s CTO validated the proof-of-concept.
- The case revives the argument for on-chain circuit breakers on fast L1s.
A security firm has revealed that Aptos, one of the faster layer-1 blockchains, carried a critical flaw for months before it was quietly fixed. On July 4, Hexens went public with a bug it had reported privately to Aptos back on February 25, a weakness in the engine that runs the chain’s smart contracts that, by its own estimate, put as much as $70 billion of theoretical risk in play across bridges, stablecoins and connected exchanges. Aptos Labs had patched it within hours of that first report, and no user funds were ever touched.
So why does a five-month-old patch make news now? Two reasons. The number, obviously. But also the detail sitting underneath it: the thing Aptos markets hardest is raw speed, and raw speed is exactly what turns $70 billion from a scare headline into a defensible estimate.
A record-throughput brag, one day after the story broke
On July 5, barely 24 hours after the report, the project’s official account went ahead with its scheduled monthly tokenomics update, reporting 232,500 APT burned over the past 30 days, more than 16 million transactions in a single day for a fresh quarterly high, and an average fee of $0.0005 following a tenfold fee increase, all under the tagline “the full stack for markets and machines at work.” The post reads very differently once you have the Hexens disclosure in front of you, because the near-free transactions and enormous throughput that Aptos is promoting are the exact same properties a security researcher weighs first when calculating how much a single bug in the chain’s core could actually cost.
Every transaction on Aptos burns $APT. New month update:
• 232.5K APT burned in the Last 30D
• 1.4M total APT burned since mainnet
• +16M transactions in a day—a new quarterly high
• $0.0005 avg tx fee since 10x fee increaseThe full stack for markets and machines at work. pic.twitter.com/gPEuWzD1Qf
— Aptos (@Aptos) July 5, 2026
The bug lived below the code most audits check
Aptos is built on Move, a programming language designed specifically to make this kind of attack hard. Move treats tokens and other digital assets as protected items and checks, at the moment a transaction runs, that nothing is being handled as the wrong type of thing. That safety promise is a big part of why Aptos and Sui both pitch Move as safer than older environments.
The Hexens flaw slipped underneath that promise instead of breaking it head-on. In simple terms, the system briefly worked from outdated information and ended up mistaking one kind of on-chain item for another. Security people call that “type confusion,” an old software problem where a program reads something as the wrong type and walks straight past the checks meant to stop it. On a blockchain, that mix-up is dangerous: an attacker could disguise a malicious item as a legitimate one and trick the network into misreading who owns an asset and who is allowed to move it.
Polygon CTO Mudit Gupta reviewed the proof-of-concept independently and told CoinDesk it ran as claimed, with the caveat that a few conditions had to line up first. Coming from the security chief of a rival chain, that carries more weight than anything Aptos or Hexens could say on their own.
Why cheap fees and huge volume make the bug worse
Throughput stops being a marketing line here and starts behaving like a risk multiplier. Hexens ran the attack against a cluster of more than 30 validator nodes, set up to mirror the real network, on a server rig that cost about $3,000 and stood in for roughly a third of the validator set. It worked 17 or 18 times out of 20, with no insider access or special permissions required.
Fold in the live figures and the picture sharpens. At a fraction of a cent per transaction, flooding the chain with malicious payloads is close to free. At 16 million transactions a day, with blocks confirming in seconds, an attacker who could forge assets would need only a short window to create them and move them out before anyone reacted. Speed is neutral. The same engine that clears legitimate volume in seconds would clear a fake mint-and-transfer run at the same pace, and the humans running the network cannot react that fast.
That is the part the burn-metrics post accidentally underlined.
Two very different numbers, and why the gap matters
Two figures came out of this, and treating them as one is how the story gets distorted. The smaller one is around $250 million, the value held in Aptos DeFi apps that independent firm Grego AI judged to be at direct risk. The larger one is the $70 billion, and it only appears once you follow the flaw outward through cross-chain bridges like Wormhole and LayerZero, stablecoin systems, and the exchanges that trade APT and its wrapped versions.
Bridges are the soft spot. They pool assets from several chains at once, so a forged-asset event that starts on Aptos could, in the worst modeled case, drain money that originally came from Ethereum. The $70 billion is a worst-case total built on a stack of assumptions, not cash that was ever sitting there to grab in one clean move.
| Figure | What it represents | Source |
|---|---|---|
| $250M | Value in Aptos DeFi apps at direct risk | Grego AI |
| $70B | Worst-case systemic risk across bridges, stablecoins, exchanges | Hexens |
| $3,000 | Server cost to simulate roughly a third of validators | Hexens |
| $1M | Maximum Aptos bug bounty payout tier | Aptos bug bounty program |
Aptos Labs does not dispute the report itself. It confirms the February 25 notification through the bug bounty program and says the issue was already being worked on internally. What it contests is the severity, arguing that real network conditions made the exploit much harder to pull off than the test setup implied, and putting real-world exploitability at “extremely low.” That claim runs straight into Gupta’s independent validation, and the two positions have not been reconciled in public.
There is a second gap worth flagging, and it is about incentives rather than code. The bounty caps at $1 million. An exploit of this kind would fetch many multiples of that on the black market, and Hexens disclosed anyway, which is the entire point of running a bounty.
| The systemic-threat reading | The resilience reading |
|---|---|
| A $3,000 setup could threaten a top-tier layer-1 | Patched within hours, no network disruption |
| A core bug hints at category risk for Move chains | Aptos says real conditions made exploitability very low |
| One flaw could reach bridge and stablecoin assets | The bounty steered a white-hat outcome over a sale |
What the APT chart is doing while the debate runs
Traders have mostly shrugged this off. On the 4-hour Aptos/USD chart from Coinbase, pulled via TradingView, APT changed hands near $0.635 on July 7, holding above its 50-period moving average at $0.6061 and its 100-period line at $0.6147, while running into the 200-period average at $0.6410 as resistance overhead. A moving average is just the average closing price over that many candles, and this layout points to a real bounce that has not yet cleared the bigger downtrend, the one that dragged APT from roughly $1.00 in mid-May to about $0.55.

The RSI, a gauge of buying pressure that runs from 0 to 100, sat at 58.77, above the neutral 50 mark but nowhere near the 70 line that signals an overheated market. CoinMarketCap had APT up 9.91 percent on the week at $0.6339, so the disclosure looks like a weight on sentiment rather than a trigger for real selling.
The fix that outlasts this news cycle
Builders carry the near-term load. Anyone running an app on Aptos has a reason to re-check how their code handles the kind of edge case Hexens found, and big investors may keep a slightly higher risk premium on Move-based tokens like APT and SUI while they take another look at the network’s foundations.
Two things, though, are likely to stick around after the coverage fades. The first is the bounty ceiling. A $1 million cap looks increasingly small next to the value it is meant to protect, and projects competing with black-market buyers may have little choice but to raise it. The second is a shift in the question researchers actually ask. For years the bragging rights were about how many transactions a chain can push through. This incident nudges the focus toward the opposite skill: how quickly a network can stop itself. Fast chains increasingly need automatic “kill switches” that freeze cross-chain transfers the instant something looks wrong, because once a human notices, the transactions have already gone through.
Aptos is about to run that experiment on itself. A proposal to hide transaction details until after they confirm, which would make front-running harder, is already moving through community voting, while other upgrades chase even faster confirmation times. Every one of those adds speed and adds value at stake, the same combination the Hexens disclosure showed can turn a single bug into a systemic one. Whether Move’s next security moment reads as reassurance or repeat comes down to one thing: whether these upgrades ship with the kind of built-in safeguards this episode made the case for.a



