logo
$7M Ultimate Champion
Sign Up to 15,000 USDT in Rewards
Limited-time offer is waiting for you!

Are Move Blockchains Like Aptos and Sui Safe After the $70 Billion Flaw

Key Points

Hexens disclosed a $70 billion type-confusion flaw in the Aptos Move VM on July 4, patched with no funds lost. Here is what it means for the safety of every Move blockchain and for holding APT and SUI.

On July 4, 2026, security firm Hexens disclosed that a single type-confusion bug in the Aptos Move virtual machine had put roughly $70 billion of first-order value within theoretical reach of an attacker. The researchers reproduced the exploit on a simulated Aptos environment running on a $3,000 server, hit an estimated 90% success rate, and reported it to the Aptos team in late February. Aptos patched it before mainnet was ever touched, and no funds were lost.

The number is large enough to raise a fair question for anyone holding a Move-based asset. Aptos and Sui both run on the same language that came out of Meta's abandoned Diem project, and Movement and Sei sit in the same family. If one flaw could expose $70 billion on Aptos, is the whole Move category built on shaky ground.

Here is what the flaw actually was, how far it really reached, how the two leading Move chains differ in their risk profiles, and what a patched-before-exploitation bug should and should not change about holding APT or SUI.

 
 

What the $70 Billion Flaw Actually Was

Hexens described the issue as a stale-cache bug that led to a type-confusion vulnerability, a condition where the virtual machine can be tricked into treating one kind of on-chain resource as another. In a language built around resources that represent real ownership and permissions, confusing one type for another is close to the worst thing that can happen. It lets an attacker forge authority they were never granted.

The $70 billion figure is a systemic risk estimate, not a pool of money sitting in one contract. It counts everything an attacker could theoretically have reached by abusing forged capabilities, including value routed through bridges, cross-chain messaging systems, stablecoin administration flows, and assets custodied by centralized platforms connected to the chain. Researchers noted that protocol-level capabilities held by infrastructure like LayerZero, Wormhole, and USDC's cross-chain transfer system fell inside that blast radius.

Two facts keep this from being a disaster story. The bug was caught in a private disclosure and fixed months before the public learned about it, and the exploit was demonstrated in a lab, not on live mainnet. The reason the write-up matters anyway is the cost of entry. Finding a chain-ending bug did not take a nation-state budget. It took a mid-tier server and researchers who understood the Move VM's internals better than most.

What Move Is and Which Blockchains Run On It

Move is a resource-oriented programming language originally designed by the engineering team behind Diem, Meta's shelved stablecoin project. Its core idea is that digital assets are modeled as resources that cannot be copied or silently deleted, only moved between owners. That design removes an entire class of bugs that has drained billions from older smart-contract platforms, which is exactly why builders keep choosing it.

Think of Move less as one blockchain and more as a shared blueprint that several independent teams have each built their own house from. Aptos uses an account-based data model with a parallel execution engine called Block-STM. **Sui**rewrote the model around individual objects and runs its own dialect, Sui Move, on a separate virtual machine. Movement (MOVE) is building a Move-based network aimed at Ethereum compatibility, and Sei sits adjacent to the ecosystem with its own parallelized design.

The important distinction, and the one the $70 billion headline blurs, is the difference between the Move language and any single team's implementation of it. The language defines rules about types, ownership, and access. The virtual machine is the software that enforces those rules at runtime, including the bytecode verifier and the caching layer where this particular bug lived. A flaw in one team's enforcement code is not automatically a flaw in the shared design.

Did the Bug Hit Sui Too or Only Aptos's VM

This is the question that separates an Aptos problem from a Move problem, and the honest answer is that it was contained to Aptos. The stale-cache condition existed in the Aptos Move VM specifically, inside the caching path that Aptos's own engineers wrote to speed up resource access. Sui does not share that codebase.

Sui runs Sui Move on a virtual machine that Mysten Labs built separately, with an object-centric ownership model that differs fundamentally from Aptos's account-based approach. The two chains inherited the same language philosophy and then diverged so far in execution that a runtime cache bug on one has no direct path into the other. Sui was not exposed by this vulnerability, and neither Movement nor Sei ran the affected Aptos code.

The nuance worth sitting with is that the flaw was an implementation error, not proof that Move's type system is unsound. The language's resource rules held. The bug was in how one VM cached and re-fetched data, a mistake any high-performance runtime can make regardless of language. That reframes the risk, because the Move category is not built on uniformly fragile ground. Each chain carries the risk of its own engineering, and that risk is only as good as each team's audit and disclosure discipline.

Aptos vs Sui Two Move Chains and Two Risk Profiles

Both chains came out of the same Diem alumni pool, yet they have grown into very different networks with different strengths and different exposure. Aptos has pulled ahead on stablecoins and enterprise reach, while Sui has built the deeper on-chain economy. The table below lays out where each one actually stands in mid-2026.

Dimension
Aptos (APT)
Sui (SUI)
Launch and team
Mainnet 2022, Aptos Labs (ex-Meta Diem)
Mainnet 2023, Mysten Labs (ex-Meta Diem)
Data model
Account-based
Object-centric
Move dialect
Core Move
Sui Move (separate VM)
Consensus
Aptos BFT with Block-STM
Mysticeti, sub-second finality
Stablecoin market cap
Leads the Move chains, around $1.6 billion
Around $700 million
DeFi TVL
Roughly $1 billion at peak
Higher, peaked near $2.6 billion
Exposure to the July flaw
Patched, no funds lost
Not affected

Neither profile is strictly safer. Aptos just went through a live security event and came out the other side with a fast private patch and a clean funds record, which is arguably a point in its favor rather than against it. Sui avoided this specific bug because its VM is a different piece of software, not because Move is invulnerable. Its own risk sits in its own less-battle-tested code, and the deeper DeFi TVL means more value concentrated on the chain if something ever does break.

 

What the Flaw Means If You Hold APT or SUI

The practical takeaway is calmer than the headline suggests. A critical bug was found by paid security researchers, reported through a responsible channel, and fixed before anyone lost money. That is the security process working, not failing. The systems that should worry you are the ones where bugs get found by attackers first and disclosed by the loss of your balance.

What the episode does confirm is that these are young, high-performance chains where the attack surface is still being mapped. A $3,000 server produced a $70 billion finding, which means the next serious bug is a question of when, not if, for Aptos and for every chain in the category including Sui. The right response is not to avoid Move assets. It is to size positions with the honest understanding that infrastructure risk here is higher than on a fifteen-year-old chain like Bitcoin, and to treat active bug-bounty programs and public audit histories as a feature you should look for before committing capital. You can read more on how these exploits unfold in our breakdown of DeFi hacks and bridge exploits.

For traders rather than long-term holders, the near-term signal is muted precisely because nothing was stolen. There is no forced liquidation cascade to fade and no protocol insolvency to price in. The disclosure is a reputational data point, not a balance-sheet event, and APT held up through the July 4 news without the collapse a genuine exploit would have caused.

Frequently Asked Questions

Is Sui affected by the Aptos flaw?

No. The type-confusion bug lived in the Aptos Move virtual machine, a codebase Sui does not use. Sui runs its own Sui Move implementation on an object-centric VM built by Mysten Labs, so this specific vulnerability had no path into the Sui network.

Does the $70 billion figure mean $70 billion was at risk of being stolen?

Not directly. It is a first-order systemic risk estimate that counts everything an attacker could have theoretically reached through forged permissions, including bridges, cross-chain messaging, and stablecoin flows. The actual outcome was zero, because Aptos patched the bug months before it was made public.

Is the Move language itself insecure?

The flaw was an implementation bug in one team's runtime caching, not a failure of Move's type system. Move's resource model held throughout. The language remains one of the stronger designs for preventing asset-duplication bugs, but no language protects a chain from mistakes in the software that runs it.

Should I sell my APT or SUI because of this?

There is no exploit-driven reason to. No funds were lost and the vulnerability is closed. The reasonable move is to keep Move-chain positions sized for the reality that these are newer networks with higher infrastructure risk than established chains, and to favor projects with active bug bounties and public audits.

Bottom Line

The $70 billion number is real, but it describes a bullet that was dodged, not one that landed. Hexens found a genuine chain-ending flaw in the Aptos VM, Aptos closed it privately in late February, and mainnet funds were never in play, which is closer to a security success than a security failure. Sui, Movement, and Sei were never exposed because a runtime bug in one team's code does not travel across the separate virtual machines each chain runs. Watch for a full Aptos post-mortem and for fresh audits from the other Move chains in response, because the honest lesson here is that a $3,000 server can still surface a nine-figure risk on any young high-performance chain. Size Move positions for that reality and treat a live bug bounty as the price of admission.

 
 

This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.

Sign Up and Claim 15000 USDT
Disclaimer
This content provided on this page is for informational purposes only and does not constitute investment advice, without representation or warranty of any kind. It should not be construed as financial, legal or other professional advice, nor is it intended to recommend the purchase of any specific product or service. You should seek your own advice from appropriate professional advisors. Products mentioned in this article may not be available in your region. Digital asset prices can be volatile. The value of your investment may go down or up and you may not get back the amount invested. For further information, please refer to our Terms of Use and Risk Disclosure