Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis

Shuwei Song, Jiachi Chen, Ting Chen, Xiapu Luo, Teng Li, Wenwu Yang, Leqing Wang, Weijie Zhang, Feng Luo, Zheyuan He, Yi Lu, Pan Li

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

Abstract

Move, a programming language for smart contracts, stands out for its focus on security. However, the practical security efficacy of Move contracts remains an open question. This work conducts the first comprehensive empirical study on the security of Move contracts. Our initial step involves collaborating with a security company to manually audit 652 contracts from 92 Move projects. This process reveals eight types of defects, with half previously unreported. These defects present potential security risks, cause functional flaws, mislead users, or waste computational resources. To further evaluate the prevalence of these defects in real-world Move contracts, we present MoveScan, an automated analysis framework that translates bytecode into an intermediate representation (IR), extracts essential meta-information, and detects all eight defect types. By leveraging MoveScan, we uncover 97,028 defects across all 37,302 deployed contracts in the Aptos and Sui blockchains, indicating a high prevalence of defects. Experimental results demonstrate that the precision of MoveScan reaches 98.85%, with an average project analysis time of merely 5.45 milliseconds. This surpasses previous state-of-the-art tools MoveLint, which exhibits an accuracy of 87.50% with an average project analysis time of 71.72 milliseconds, and Move Prover, which has a recall rate of 6.02% and requires manual intervention. Our research also yields new observations and insights that aid in developing more secure Move contracts.

Original languageEnglish
Title of host publicationISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
EditorsMaria Christakis, Michael Pradel
PublisherAssociation for Computing Machinery, Inc
Pages1682-1694
Number of pages13
ISBN (Electronic)9798400706127
DOIs
Publication statusPublished - 11 Sept 2024
Event33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2024 - Vienna, Austria
Duration: 16 Sept 202420 Sept 2024

Publication series

NameISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2024
Country/TerritoryAustria
CityVienna
Period16/09/2420/09/24

Keywords

  • Defect
  • Move language
  • Program analysis
  • Smart contract

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Software

Fingerprint

Dive into the research topics of 'Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis'. Together they form a unique fingerprint.

Cite this