🟢 Verified 📰 News 🇰🇷 Korean

White-hat hackers found a $70 billion flaw with a $3,000 server — what 'responsible disclosure' means

· ✍️ altrookie editorial · 👁️ Read-only

Security researchers say they found a flaw in the Aptos blockchain that, before it was quietly patched in February, coul…


Security researchers say they found a flaw in the Aptos blockchain that, before it was quietly patched in February, could have put as much as $70 billion in crypto at risk — across stablecoins, cross-chain bridges and exchanges. The unsettling part: simulating the attack cost the team only about $3,000, and no insider access was needed. No user funds were lost.

The bug was reported by Hexens, a blockchain security firm, on February 25 through Aptos's bug-bounty program. They described it as a “stale-cache” issue that led to a type-confusion vulnerability — in plain terms, the chain could be tricked into treating one kind of on-chain object as another. In the Move programming language Aptos uses, that can mean seizing powerful permissions like the right to mint a stablecoin or control a bridge. Aptos said it developed, tested and deployed a fix within hours, and a public patch followed on February 27.

What makes the story sobering is how cheap and repeatable the attack looked. Using a roughly $3,000 server setup to imitate about a third of Aptos's validator network, the researchers ran their exploit around 20 times and succeeded 17 or 18 of them — a success rate near 90% under conditions meant to mirror the live network. Independent reviewers, including Polygon's chief technology officer and a firm called Grego AI, said the proof-of-concept held up. Grego AI estimated about $250 million in Aptos's own value was directly exposed, with the far larger $70 billion figure coming from what an attacker could reach through connected systems like Circle's USDC and cross-chain messaging protocols.

Aptos pushed back on how dangerous the bug really was in practice, telling CoinDesk its “analysis determined the bug would have extremely low exploitability in real world conditions.” That disagreement matters, but the near-miss still lands against a run of real disasters: last year's $1.5 billion Bybit hack, and a Zcash bug revealed in June that had quietly allowed potential counterfeiting for four years and sent its token down 38%.

For a beginner, the useful takeaway is not the scary headline number but how the problem was handled. This is “responsible disclosure” working as intended: white-hat researchers reported the flaw privately, a volunteer emergency group called SEAL911 coordinated a response, and the hole was closed before anyone published the details or lost money. You can't audit a blockchain yourself, and eye-watering “at risk” figures are usually worst-case math, not actual losses. What you can watch for is whether a project runs a real bug-bounty program and patches fast — that, more than any promise of being “unhackable,” is what separates the chains that survive their inevitable bugs from the ones that don't.