Showing posts with label defi security 2026. Show all posts
Showing posts with label defi security 2026. Show all posts

Ethical Hackers Found a Way to Break a $70 Billion Blockchain - With a $3,000 Budget...

Turns out you don't need a nation-state budget to threaten a multi-billion dollar blockchain. You need about $3,000 and a very good weekend.

That is the uncomfortable lesson from a disclosure that went public on July 4, when security firm Hexens revealed a critical flaw it found in Aptos back in February. The bug lived inside the Move virtual machine, the engine that runs every smart contract on the chain, and it was serious enough that Hexens put the first-order systemic risk at roughly $70 billion. For a network that markets itself on speed and safety, that is not a number anyone wants attached to their name. The good news, which we will get to, is that no funds were ever lost. The bad news is how little it would have taken to change that.

The story matters because Aptos is not some abandoned testnet. It is a top-tier layer-1 with real stablecoins, real bridges, and real money parked in its ecosystem. When a researcher tells you a flaw could have reached that much value, they are not just talking about tokens sitting in wallets. They are talking about the plumbing that connects Aptos to the rest of crypto. And the people who found this did it on a budget that would not cover a decent gaming PC.

What they actually found

Hexens described the issue as a "stale-cache bug" that led to a type-confusion vulnerability. In plain terms, that means the software could be tricked into treating one kind of on-chain resource as if it were a completely different one. If you have ever handed someone the wrong key and watched them open a door they were never supposed to touch, you get the general idea. According to the firm, the flaw let an attacker potentially hijack on-chain structs and authority resources, which are the core data structures that decide who owns what and who is allowed to do what. Mess with those, and the normal rules about ownership stop meaning very much.

Type confusion is one of those bug classes that sounds academic until it is pointed at real money. It has haunted traditional software for decades, and the Move language was specifically designed to make this sort of thing hard to pull off. That is part of why this disclosure stings a little. The whole selling point of Move is that it treats digital assets as a special resource the compiler guards closely, so seeing a type-confusion flaw surface in Aptos is a bit like finding a leak in the one boat everyone promised was unsinkable.

The scary part: It took $3,000 to make it happen

Plenty of blockchain exploits require deep pockets, insider access, or control of a big chunk of the network. This one, allegedly, did not. Hexens says it simulated the attack under real network conditions with a success rate above 90 percent, using a server setup that cost around $3,000 and stood in for roughly a third of the validator set. No special permissions, no insider help, no cooperation from anyone already inside the system. That combination is what turns a technical curiosity into a genuine emergency, because it means the barrier to entry was almost nothing. When the cost of breaking something is measured in hundreds or low thousands of dollars and the prize is measured in billions, you are relying entirely on nobody else noticing first.

Where the $70 billion number comes from

A $70 billion figure sounds almost cartoonish for a chain whose own token market cap is a fraction of that, so it is worth explaining. Hexens was not claiming $70 billion sits directly on Aptos. The estimate covers everything the flaw could have reached through the connections crypto has quietly built over the last few years. That includes value moving across bridges, cross-chain messaging systems, stablecoin administration flows, and assets custodied by centralized exchanges that touch the network. Modern crypto is stitched together, and a hole in one important chain does not stay politely contained to that chain. That is the real warning here, and it applies to a lot more than just Aptos.

The quiet fix nobody heard about until now

Here is the part that keeps this from being a horror story. Hexens reported the flaw through Aptos Labs' bug bounty program on February 25, and the team says a fix was developed, tested, and pushed to mainnet within hours of discovery. An Aptos spokesperson told CoinDesk that no users or funds were impacted at any point, and the details were only made public months later, which is exactly how responsible disclosure is supposed to work. The researchers got paid, the hole got patched before anyone with bad intentions found it, and the wider world found out once it was safe to talk about.

Still, it is worth sitting with what almost happened. A flaw that could have rippled across $70 billion in connected value was closed off by a bug bounty and a fast engineering response, not by luck at the moment of attack. If white-hat researchers had not gotten there first, this would read very differently. The lesson for anyone holding crypto is not to panic about Aptos specifically, which is now patched, but to notice how much of this industry's safety still depends on a small group of ethical hackers choosing to send an email instead of draining a wallet. That is a thin line to be standing on, and it is worth remembering the next time a chain tells you it is unbreakable.

---------------

Author: Dorian Fenwick
Silicon Valley Newsroom
Breaking Crypto News

North Korea Allegedly Drained $280 Million from Solana's Drift Protocol on April Fool's Day

Happy April Fool's Day... Your $280 Million Is Gone. Really. 

On April 1st, the Solana-based DeFi platform Drift Protocol had $280 million drained from its accounts in what blockchain security firm Elliptic says bears all the hallmarks of a North Korean state-backed operation. The attack was no prank - and for Drift's users, it was about as far from funny as it gets.

What made this one technically notable was the attack vector. Rather than a straightforward exploit or the social engineering tricks North Korean hackers are known for, the alleged attackers abused a Solana feature called a durable nonce - a mechanism designed to prevent transaction timeouts. According to reporting by Fortune, the attacker used this mechanism to dupe Drift's Security Council into pre-approving transactions that wouldn't execute until weeks later - effectively planting a time bomb inside the protocol's own administrative layer.

Drift confirmed the incident in a post on X, describing how "a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." The platform immediately suspended deposits and withdrawals for all users.

North Korea's Crypto Crime Streak Continues

Elliptic's attribution is consistent with a now well-established pattern. North Korea was responsible for roughly $2 billion in stolen crypto throughout 2025 - around 60% of all digital assets stolen globally that year, per blockchain analytics firm Chainalysis. The country's most brazen job was the alleged $1.5 billion hack of crypto exchange Bybit in early 2025, still the largest single crypto theft on record.

North Korean hackers typically rely on social engineering - building fake identities, infiltrating teams, and manipulating insiders into handing over credentials. The Drift attack represents something different: a patient, technically sophisticated exploit that weaponized the platform's own security infrastructure against it. The attacker didn't break down the door. They convinced someone inside to leave it unlocked.

Who Is Drift?

Drift Protocol was founded in 2021 by Cindy Leow and David Lu. It offers perpetual futures and other trading products on Solana, and had accumulated over $400 million in total deposits before the attack. That figure is now considerably different. The platform has not yet provided a detailed public timeline for resuming normal operations.

The Drift hack is a reminder that DeFi's security model - which relies on multisig councils, on-chain governance, and community-held administrative keys - is only as strong as the humans and processes behind it. A durable nonce isn't a bug; it's a feature. But features can be weaponized, and North Korea's alleged hackers appear to have studied Solana's mechanics carefully enough to do exactly that.

For the broader Solana ecosystem, the timing couldn't be worse. The network has spent the better part of two years positioning itself as the institutional-grade DeFi layer of choice. A $280 million heist - allegedly handed to a regime under international sanctions - is not a great look, regardless of which chain the exploit ran on.

---------------

Author: Cedric Holloway
New York Newsroom