Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Systematic Classification of Vulnerabilities in MoveEVM Smart Contracts (MWC)

Selçuk Topal

TL;DR

The paper presents MoveEVM Weakness Classification (MWC), a dedicated vulnerability taxonomy for Move-based contracts running on EVM-compatible runtimes, comprising 37 weakness types (MWC-100 to MWC-136) organized into six frames to capture hybrid execution risks. It demonstrates that standard SWC/EVM-focused tools miss many hybrid vulnerabilities and shows, via real-world Aptos/Sui case studies, how MWC can classify and guide remediation. The authors advocate combining formal verification (MoveProver, model checkers) with AI-assisted auditing (logic-driven LLM agents and structured pipelines) to enable scalable, logic-aware security assessments, benchmarks, and co-auditing workflows. The framework aims to improve tool coverage, guide safe language and runtime evolution, and support safer, verifiable MoveEVM deployments across cross-chain and Layer 2 contexts. Overall, MWC provides a structured foundation for rigorous auditing, tooling, and future research in the security of hybrid MoveEVM smart contracts.

Abstract

We introduce the MoveEVM Weakness Classification (MWC) system -- a dedicated vulnerability taxonomy for smart contracts built with Move and executed in EVM-compatible environments. While Move was originally designed to prevent common security flaws via linear resource types and strict ownership, its integration with EVM bytecode introduces novel hybrid vulnerabilities not captured by existing systems like the SWC registry. Our taxonomy spans 37 categorized vulnerability types (MWC-100 to MWC-136) across six semantic frames, addressing issues such as hybrid gas metering, capability misuse, meta-transaction spoofing, and AI-integrated logic. Through analysis of real-world contracts from Aptos and Sui, we demonstrate that current verification tools often miss these hybrid risks. We also explore how formal methods and LLM-based audit agents can operationalize this classification, enabling scalable, logic-aware smart contract auditing. MWC lays the foundation for more secure and verifiable contracts in next-generation blockchain systems. (Shortened Abstract)

A Systematic Classification of Vulnerabilities in MoveEVM Smart Contracts (MWC)

TL;DR

The paper presents MoveEVM Weakness Classification (MWC), a dedicated vulnerability taxonomy for Move-based contracts running on EVM-compatible runtimes, comprising 37 weakness types (MWC-100 to MWC-136) organized into six frames to capture hybrid execution risks. It demonstrates that standard SWC/EVM-focused tools miss many hybrid vulnerabilities and shows, via real-world Aptos/Sui case studies, how MWC can classify and guide remediation. The authors advocate combining formal verification (MoveProver, model checkers) with AI-assisted auditing (logic-driven LLM agents and structured pipelines) to enable scalable, logic-aware security assessments, benchmarks, and co-auditing workflows. The framework aims to improve tool coverage, guide safe language and runtime evolution, and support safer, verifiable MoveEVM deployments across cross-chain and Layer 2 contexts. Overall, MWC provides a structured foundation for rigorous auditing, tooling, and future research in the security of hybrid MoveEVM smart contracts.

Abstract

We introduce the MoveEVM Weakness Classification (MWC) system -- a dedicated vulnerability taxonomy for smart contracts built with Move and executed in EVM-compatible environments. While Move was originally designed to prevent common security flaws via linear resource types and strict ownership, its integration with EVM bytecode introduces novel hybrid vulnerabilities not captured by existing systems like the SWC registry. Our taxonomy spans 37 categorized vulnerability types (MWC-100 to MWC-136) across six semantic frames, addressing issues such as hybrid gas metering, capability misuse, meta-transaction spoofing, and AI-integrated logic. Through analysis of real-world contracts from Aptos and Sui, we demonstrate that current verification tools often miss these hybrid risks. We also explore how formal methods and LLM-based audit agents can operationalize this classification, enabling scalable, logic-aware smart contract auditing. MWC lays the foundation for more secure and verifiable contracts in next-generation blockchain systems. (Shortened Abstract)

Paper Structure

This paper contains 50 sections, 1 table.

Table of Contents

  1. Introduction
  2. Related Works
  3. Vulnerability Taxonomies
  4. Security Features of Move and MoveEVM
  5. Analysis Tools and Frameworks
  6. Formal Verification and Empirical Analysis
  7. Language Comparisons
  8. Audit reports and case studies
  9. Understanding Vulnerabilities in Smart Contracts
  10. Typical Vulnerabilities
  11. Specific Vulnerabilities in MoveEVM
  12. Proposed Vulnerability Taxonomy for MoveEVM
  13. State Management Vulnerabilities
  14. Storage and Data Safety
  15. Token and Asset Lifecycle Risks
  16. ...and 35 more sections