MoveScanner: Analysis of Security Risks of Move Smart Contracts
Yuhe Luo, Zhongwen Li, Xiaoqi Li
TL;DR
This work introduces MoveScanner, a modular static analysis tool for Move smart contracts that tracks resources across modules via a control-flow and data-flow framework, complemented by cross-module call graphs. It targets five vulnerability classes and reports 88.2% detection accuracy on benchmarks, along with notable reductions in false positives through resource trajectory and capability analysis. The study also identifies twelve new Move-specific security risks arising from cross-component interactions and provides empirical results across benchmarks, open-source projects, and production contracts. The results demonstrate the value of combining static analysis with cross-module tracing to strengthen security in the Move ecosystem and guide future work toward formal verification and hybrid analysis techniques.
Abstract
As blockchain technology continues to evolve, the security of smart contracts has increasingly drawn attention from both academia and industry. The Move language, with its unique resource model and linear type system, provides a solid foundation for the security of digital assets. However, smart contracts still face new security challenges due to developer programming errors and the potential risks associated with cross-module interactions. This paper systematically analyzes the limitations of existing security tools within the Move ecosystem and reveals their unique vulnerability patterns. To address these issues, it introduces MoveScanner, a static analysis tool based on a control flow graph and data flow analysis architecture. By incorporating cross-module call graph tracking, MoveScanner can effectively identify five key types of security vulnerabilities, including resource leaks, weak permission management, and arithmetic overflows. In terms of design, MoveScanner adheres to a modular principle, supports bytecode-level analysis and multi-chain adaptation, and introduces innovative resource trajectory tracking algorithms and capability matrix analysis methods, thereby significantly reducing the false positive rate. Empirical results show that MoveScanner achieved 88.2% detection accuracy in benchmark testing, filling the gap in security tools in the Move ecosystem. Furthermore, this paper identifies twelve new types of security risks based on the resource-oriented programming paradigm and provides a theoretical foundation and practical experience for the development of smart contract security mechanisms. Future work will focus on combining formal verification and dynamic analysis techniques to build a security protection framework covering the entire contract lifecycle