MoveScanner: Analysis of Security Risks of Move Smart Contracts

As blockchain technology continues to evolve, the security of smart contracts has increasingly drawn attention from both academia and industry. The Move language, with its unique resource model and linear type system, provides a solid foundation for the security of digital assets. However, smart contracts still face new security challenges due to developer programming errors and the potential risks associated with cross-module interactions. This paper systematically analyzes the limitations of existing security tools within the Move ecosystem and reveals their unique vulnerability patterns. To address these issues, it introduces MoveScanner, a static analysis tool based on a control flow graph and data flow analysis architecture. By incorporating cross-module call graph tracking, MoveScanner can effectively identify five key types of security vulnerabilities, including resource leaks, weak permission management, and arithmetic overflows. In terms of design, MoveScanner adheres to a modular principle, supports bytecode-level analysis and multi-chain adaptation, and introduces innovative resource trajectory tracking algorithms and capability matrix analysis methods, thereby significantly reducing the false positive rate. Empirical results show that MoveScanner achieved 88.2% detection accuracy in benchmark testing, filling the gap in security tools in the Move ecosystem. Furthermore, this paper identifies twelve new types of security risks based on the resource-oriented programming paradigm and provides a theoretical foundation and practical experience for the development of smart contract security mechanisms. Future work will focus on combining formal verification and dynamic analysis techniques to build a security protection framework covering the entire contract lifecycle

💡 Research Summary

The paper presents MoveScanner, a static analysis framework designed to detect security vulnerabilities in Move smart contracts. Recognizing that Move’s resource‑oriented programming model and linear type system provide strong compile‑time guarantees yet are still vulnerable to developer mistakes—especially in cross‑module interactions—the authors first survey existing Move‑specific tools (MoveProver, MoveCheck, VerMove) and highlight their limitations in handling complex inter‑module flows and false‑positive rates.

MoveScanner’s architecture consists of three tightly coupled components: (1) a control‑flow graph (CFG) generator that parses Move bytecode into basic blocks, identifies jump instructions, and constructs a complete graph of all possible execution paths, including exceptional branches; (2) a data‑flow analysis engine that performs reaching‑definitions and live‑variable analyses using an iterative work‑list algorithm, enabling detection of uninitialized variables and improper resource handling; and (3) a cross‑module analysis module that builds a global call graph and a capability matrix, recording which modules possess which abilities (copy, drop, store, key) and how resources propagate across module boundaries. This three‑pronged approach gives MoveScanner a holistic view of both intra‑ and inter‑module resource flows.

Based on this infrastructure, the tool defines five primary vulnerability categories: (i) resource leaks where a resource is created but never moved or destroyed; (ii) permission defects where a Capability is inadvertently exposed or transferred without proper revocation; (iii) arithmetic overflows due to missing bounds checks; (iv) malformed public interfaces that accept or return unexpected types; and (v) missing exception handling that leaves resources dangling after a panic or abort. For each category, the authors devise rule‑based detectors that combine CFG path conditions, data‑flow facts, and capability‑matrix constraints, dramatically reducing false positives compared with prior tools.

The authors also identify twelve novel risk patterns unique to Move’s resource‑centric paradigm, such as one‑time‑use pattern violations, resource‑wrapper overflow, and cyclic capability propagation. These patterns are formally described and integrated into MoveScanner’s rule set, extending its coverage beyond the five core categories.

Experimental evaluation uses contracts from three major Move‑based blockchains—Aptos, Sui, and Diem—covering 120 real‑world contracts and a curated benchmark of known vulnerabilities. MoveScanner achieves an overall detection accuracy of 88.2 %, outperforming MoveCheck and VerMove, especially in cross‑module permission leaks and complex resource‑flow bugs where the baseline tools miss over 30 % of issues. The paper reports detailed precision/recall metrics for each vulnerability class, demonstrating the effectiveness of the capability‑matrix analysis in pruning spurious alerts.

Limitations are acknowledged: static analysis cannot capture runtime‑dependent behaviors such as gas‑driven execution paths, external oracle responses, or dynamic code loading. Consequently, some classes of bugs remain out of scope. The authors propose future work that integrates formal verification (e.g., Move Prover) with dynamic tracing (e.g., runtime instrumentation) to build a hybrid security framework covering the entire contract lifecycle—from development through deployment and execution.

In summary, MoveScanner fills a critical gap in the Move ecosystem by providing a modular, bytecode‑level static analyzer that leverages control‑flow, data‑flow, and cross‑module capability analysis to detect both known and newly identified security risks with high accuracy and low false‑positive rates, thereby advancing the security posture of Move‑based smart contracts.