Critical Flaw Reported in Move Virtual Machine Powering the Aptos Blockchain Network

Researchers have disclosed details about a now-patched critical
flaw in the Move virtual machine that powers the Aptos blockchain
network.

The vulnerability “can cause Aptos nodes to crash and cause
denial of service,” Singapore-based Numen Cyber Labs said^[1]
in a technical write-up published earlier this month.

Aptos is a new entrant^[2]
to the blockchain space, which launched^[3]
its mainnet^[4]
on October 17, 2022. It has its roots in the Diem stablecoin
payment system proposed by Meta (née Facebook), which also
introduced a short-lived digital wallet called Novi^[5].

The network is built using a platform-agnostic programming
language known as Move^[6], a Rust-based system
that’s designed^[7]
to implement and execute smart contracts^[8]
in a secure runtime environment^[9], also known as the Move
Virtual Machine (aka MoveVM^[10]).

The vulnerability^[11] identified by Numen
Cyber Labs is rooted in the Move language’s verification module
(“stack_usage_verifier.rs^[12]“), a component that
validates the bytecode instructions^[13] prior to its execution
in MoveVM.

Specifically, it relates to an integer overflow vulnerability^[14] in the stack-based^[15] Web3 programming
language that could result in undefined behavior and therefore
crashes.

“Since this vulnerability occurs in the Move execution module,
for nodes on the chain, if the bytecode code is executed, it will
cause a [Denial-of-Service] attack,” the cybersecurity firm
explained.

“In severe cases, the Aptos network can be completely stopped,
which will cause incalculable damage, and have a serious impact on
the stability of the node.”