Back to News

Ethical hackers found and helped fix a $70B security flaw in Aptos blockchain

A team of ethical hackers used a cheap $3,000 server to break a key security rule of the Aptos blockchain, risking up to $70 billion in crypto assets. Aptos Labs patched the flaw before any money was lost, but the issue raises concerns about the safety of its network for investors and users.
A small team of ethical hackers armed with a $3,000 server cracked a core security guarantee of the Aptos blockchain – and they did it for pocket change. The flaw, now patched, gave the researchers a nearly 90% success rate at breaking the network's fundamental safety promise. Potential losses: up to $70 billion in crypto assets.

The attack cost just a few hundred dollars to execute. That makes it one of the cheapest critical blockchain vulnerabilities ever demonstrated. The researchers, who disclosed the issue privately before it was fixed, showed that the cheap hardware could repeatedly force the blockchain into an invalid state – a breach of what Aptos calls its "safety guarantee."

That guarantee is the bedrock of any proof-of-stake chain: once a block is finalized, transactions inside it cannot be reversed or altered. The researchers broke that. From a server that costs less than a used Honda, they found a way to make the network accept conflicting blocks, opening the door to double-spending and other catastrophic attacks.

Aptos Labs confirmed the patch in a statement Thursday, July 4. The team said no funds were ever at risk in practice because the vulnerability was discovered during a routine security review. Still, the disclosure rattles investor confidence in a chain that has touted its academic roots and Rust-based Move language as layers of security.

For traders, the immediate concern is token price. APTOS has been trading in a narrow range, but a bearish sentiment is already surfacing in over-the-counter markets. The attack vector itself is closed, but the episode raises questions about how many more such cheap-to-exploit holes might exist under the hood.

The real watch item now is whether Aptos will release a full technical autopsy. Without one, investors are left guessing about the root cause and whether other attack surfaces remain. Meanwhile, the team that found the flaw plans to present its full findings at a security conference in August.

This is not a crisis in motion – the patch is live. But for anyone holding APTOS or building on Move-based chains, the takeaway is clear: even a well-audited blockchain can be broken with a rig that costs less than a MacBook Pro. Trust, once dented, takes longer to repair than code.

Related news