The Move programming language has brought disruptive changes to blockchain smart contracts with its unique resource management design, security-first architecture, and modular development model. Driven by these innovations, the emerging public blockchains have achieved high performance and scalability breakthroughs through technologies such as parallel execution, object-oriented design, and horizontal scaling. However, as the Move ecosystem expands, its security has also faced challenges in real-world applications. The denial-of-service vulnerabilities exposed in 2023 and 2024 highlight the delicate balance between complexity and security in blockchain systems. Through timely patching of vulnerabilities, strengthening permission management, and advancing code verification, the Move ecosystem is gradually building a blockchain development model that balances technological innovation with security, laying the foundation for the future evolution of blockchain technology.
Move Programming Language: A Revolutionary Force in Blockchain Smart Contracts
Before delving into the specific technological innovations within the Move ecosystem, it is essential first to understand the foundation of this ecosystem—the Move programming language. As a disruptive force in blockchain smart contract development, Move redefines the possibilities of resource management and modular development and provides a solid technological backbone for public chain projects through its security-first design philosophy. In the following, we will analyze the unique advantages of the Move language and how related blockchains, through innovative smart contract architectures, successfully showcase the vast potential of the Move ecosystem.
The Move language was originally developed by Facebook (now Meta) for the Diem (Libra) project to address the performance and security bottlenecks inherent in traditional smart contract languages. The design of Move emphasizes the clarity and security of resources, ensuring that every state change on the blockchain is controllable. This innovative programming language offers the following key advantages:
Resource Management Model: Move treats assets as resources, making them non-replicable or destructible. This unique resource management model helps avoid common smart contract issues such as double-spending or accidental asset destruction.
Modular Design: Move allows smart contracts to be built modularly, improving code reusability and reducing development complexity.
High Security: Move incorporates numerous built-in security checks at the language level to prevent common security vulnerabilities, such as reentrancy attacks.
In summary, with its innovative design principles and powerful technical advantages, the Move programming language has set a new standard for blockchain smart contract development. By treating assets as non-replicable or destructible resources, Move significantly enhances the security of resource management. Its modular design brings greater flexibility and efficiency to developers. Furthermore, the built-in security features help safeguard against various common vulnerabilities.
Security Events in the Move Ecosystem
As the Move ecosystem evolves, it faces numerous security challenges alongside its technological innovations. From the core design of its virtual machine to the specific mechanisms of network operations, security issues have become critical factors affecting the ecosystem's stability and development. In recent years, two significant security events have occurred within the Move ecosystem—an infinite recursion vulnerability in 2023 and a memory pool DoS vulnerability in 2024. These incidents exposed potential risks in the system and underscored the importance of security research and vulnerability remediation within the ecosystem. Thanks to close collaboration between development teams and third-party security organizations, these issues were promptly addressed, laying a solid foundation for the further development of the Move ecosystem.
Image Source: https://www.bankless.com/sui-vs-aptos
Details of Specific Security Events:
In June 2023, a critical denial-of-service (DoS) vulnerability was discovered in the Move virtual machine, which could lead to the complete collapse of public blockchains such as Sui and Aptos or even force a hard fork. After identifying the vulnerability, security researcher Poetyellow disclosed the related details. However, the Move virtual machine development team had independently discovered the issue earlier and spent more than a month resolving it.
This vulnerability was an infinite recursion flaw. In programming languages, infinite recursive function calls causing stack overflows are a common type of DoS vulnerability, and even secure languages like Rust are not immune to it.
In September 2024, MoveBit successfully discovered and helped fix a memory pool DoS vulnerability in the Aptos network, rated as High severity. This vulnerability stemmed from an inadequate transaction eviction mechanism in the memory pool, potentially causing up to 90% of valid transactions to be rejected by nodes. The Aptos team resolved the issue in version v1.19.1 and publicly acknowledged MoveBit's contribution in the official release notes.
From the infinite recursion vulnerability to the memory pool DoS issue, these security incidents within the Move ecosystem reveal the potential risks that come with technological innovation. At the same time, they demonstrate the ecosystem's ability to respond quickly and implement effective fixes. However, resolving security challenges cannot rely solely on addressing individual incidents. It requires systematic optimization at the level of overall architecture and language design. Next, we will explore critical aspects such as resource management, permission control, and code auditing to analyze how the Move ecosystem balances technological advancements and security protections.
Security Observations in the Move Ecosystem
The emergence of the Move programming language has introduced a groundbreaking approach to smart contract development in blockchain ecosystems, primarily applied in public chains like Aptos and Sui. The design of Move was originally centered around security, utilizing resource management, static type systems, and memory management to prevent common vulnerabilities. However, as the ecosystem continues to expand, specific security areas require ongoing attention:
Resource Management and State Consistency: Move's unique resource types allow developers to manage asset ownership within contracts explicitly. While this reduces risks such as asset loss or reentrancy attacks, the complexity of resource transfer and management logic can introduce new errors. Ensuring the effectiveness of resource lifecycle management and avoiding resource transfer vulnerabilities is crucial.
Permission Control and Access Management: The modular development approach of the Move ecosystem facilitates component reuse, but controlling access permissions to modules is critical. Developers must strictly limit the permissions for sensitive operations, ensuring the functionality and access levels of modules are appropriately managed to prevent attackers from exploiting high-privilege contract modules.
Security Auditing and Code Verification: The complexity of Move code increases the difficulty of auditing, necessitating continuous security audits and formal verification to ensure the code is free from overflows, logical errors, and other common risks. Standardized audit processes and regular code reviews are essential for maintaining the long-term security of the Move ecosystem.
In conclusion, the introduction of the Move programming language represents a significant revolution in the field of blockchain smart contracts. Its unique resource management model, security-first design philosophy, and modular development approach address multiple bottlenecks in performance, security, and flexibility faced by traditional smart contract languages. By treating assets as non-replicable or indestructible resources, Move effectively avoids common issues such as double-spending. At the same time, its modular design enables developers to reuse code more efficiently and reduce complexity. On public blockchains like Aptos and Sui, which are based on the Move language, innovative technologies such as parallel execution engines, object-oriented design, and horizontal scaling have brought unprecedented performance and scalability to blockchain systems. This marks Move's ecosystem as a technological leap forward in blockchain development.
However, security issues have gradually emerged as the Move ecosystem rapidly expands. Two critical security incidents in 2023 and 2024—an infinite recursion vulnerability and a memory pool DoS vulnerability—highlight the delicate balance between complexity and security in blockchain systems. Nevertheless, the Move ecosystem has demonstrated strong capabilities in addressing security challenges through timely vulnerability fixes, enhanced permission management, and advancements in code verification. As a leading security auditing company, BitsLab remains committed to providing comprehensive security assurance and safeguarding the healthy development of the Move ecosystem and the blockchain industry. By ensuring the parallel progression of technological innovation and security measures, BitsLab continues to contribute to the future evolution of blockchain technology.
This article is an excerpt from our “BitsLab Spotlight | 2024 Emerging Blockchain Ecosystems: A Comprehensive Overview and Security Research Report”, a meticulously crafted research report.
To view our full research report, please click this link: https://bitslab.xyz/reports-page
About BitsLab
BitsLab is a security organization dedicated to safeguarding and building emerging Web3 ecosystems, with a vision to become a highly respected Web3 security institution recognized by the industry and its users. It operates three sub-brands: MoveBit, ScaleBit, and TonBit. BitsLab focuses on infrastructure development and security audits for emerging ecosystems, covering but not limited to Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer, and Solana. Additionally, BitsLab demonstrates profound expertise in auditing various programming languages, including Circom, Halo2, Move, Cairo, Tact, FunC, Vyper, and Solidity.
As a leader in blockchain security, BitsLab has provided security auditing services for flagship projects such as Movement, Aptos Framework, Catizen, Synthetix, Tether, Cetus, UniSat, Nervos CKB, iZUMI Finance, and Pontem. To date, BitsLab has delivered over 400 security solutions, audited over 400,000 lines of code, and safeguarded assets worth over $8 billion, providing security for over 2 million users worldwide. These achievements reflect BitsLab's commitment to high-quality audit services and its role in setting security standards for the blockchain industry.
Furthermore, the BitsLab team comprises top vulnerability research experts who have repeatedly won international CTF awards and discovered critical vulnerabilities in well-known projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos. BitsLab will continue to focus on advancing security in the Web3 space, contributing to the healthy development of emerging ecosystems.
Visit BitsLab's official website: https://bitslab.xyz/
BitsLab's official Twitter: https://x.com/0xbitslab
Join the official Telegram community: https://t.me/BitsLabHQ
BitsLab brand resources: https://somber-throne-617.notion.site/BitsLab-Brand-Assets-12e7c2e0096880e58c9fd49f0852f49b
BitsLab Sub-brand Official Websites:
MoveBit: https://www.movebit.xyz/
TonBit: https://www.tonbit.xyz/
ScaleBit: https://www.scalebit.xyz/