Critical Aptos Move VM Vulnerability Enables Arbitrary On-Chain Struct Hijacking via Stale Type-Tag Cache
By
@hexens
Summary
This article details a critical security vulnerability in the Aptos Move VM involving a stale type-tag cache that enables storage-level type confusion. An attacker can exploit this to hijack and overwrite arbitrary on-chain structs. While a local proof-of-concept works with a single validator, real-world exploitation is more complex because cache structures are in-memory objects that don't synchronize across multiple validators — a naive attack could cause a chain halt. The research explores using strong node primitives to internally synchronize these caches and execute a sophisticated multi-block attack in production environments. The vulnerability was disclosed by Hexens.
Source
Key quotes
· 4 pulledA stale type-tag cache in the Aptos Move VM enables storage-level type confusion, letting an attacker hijack and overwrite arbitrary on-chain structs
While the local PoC works without complications, it works with only a single validator.
A simple attack vector will most likely not succeed, as validators will have different struct indexes mapped, which can cause a chain halt.
This section describes research on how to use strong primitives of the node to internally synchronize these caches and land a sophisticated multi-block attack in a real-world environment.
You might also wanna read
Security researchers found critical Aptos blockchain flaw that could have endangered $70B in crypto
Blockchain security firm Hexens discovered a critical vulnerability in the Aptos blockchain's Move virtual machine that could have put up to
Security researchers found critical Aptos blockchain flaw that could have endangered $70B in crypto
Blockchain security firm Hexens discovered a critical vulnerability in the Aptos blockchain's Move virtual machine that could have put up to
Critical LangChain Core Vulnerability (CVE-2025-68664) Allows Serialization Injection Attacks
Cyata Research discloses LangGrinch (CVE-2025-68664), a critical vulnerability in LangChain Core that allows serialization injection attacks
Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code
The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re
aikido.dev·3mo agoUnpatchable Vulnerabilities of Kubernetes: CVE-2020-8561
Trivy GitHub Actions Compromised in Supply Chain Attack, Exposing CI/CD Secrets
A new supply chain attack targeting Trivy's GitHub Actions has been disclosed, where attackers compromised the security scanner by force-upd
APT Attack Compromises Reverse Gateway Infrastructure Through Kernel and NFS Server Malware
A detailed incident response blog post describing a sophisticated Advanced Persistent Threat (APT) attack discovered during a routine securi

Comments
Sign in to join the conversation.
No comments yet. Be the first.