Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis
Move, a programming language for smart contracts, stands out for its focus on security. However, the practical security efficacy of Move contracts remains an open question. This work conducts the first comprehensive empirical study on the security of Move contracts. Our initial step involves collaborating with a security company to manually audit 652 contracts from 92 Move projects. This process reveals eight types of defects, with half previously unreported. These defects present potential security risks, cause functional flaws, mislead users, or waste computational resources. To further evaluate the prevalence of these defects in real-world Move contracts, we present MoveScan, an automated analysis framework that translates bytecode into an intermediate representation (IR), extracts essential meta-information, and detects all eight defect types. By leveraging MoveScan, we uncover 97,028 defects across all 37,302 deployed contracts in the Aptos and Sui blockchains, indicating a high prevalence of defects. Experimental results demonstrate that the precision of MoveScan reaches 98.85%, with an average project analysis time of merely 5.45 milliseconds. This surpasses previous state-of-the-art tools MoveLint, which exhibits an accuracy of 87.50% with an average project analysis time of 71.72 milliseconds, and Move Prover, which has a recall rate of 6.02% and requires manual intervention. Our research also yields new observations and insights that aid in developing more secure Move contracts.
Fri 20 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 14:50 | Smart ContractsTechnical Papers at EI 10 Fritz Paschke Chair(s): Michael Pradel University of Stuttgart | ||
13:30 20mTalk | Empirical Study of Move Smart Contract Security: Introducing MoveScan for Enhanced Analysis Technical Papers Shuwei Song University of Electronic Science and Technology of China, Jiachi Chen Sun Yat-sen University, Ting Chen University of Electronic Science and Technology of China, Xiapu Luo Hong Kong Polytechnic University, Teng Li University of Electronic Science and Technology of China, Wenwu Yang University of Electronic Science and Technology of China, Leqing Wang University of Electronic Science and Technology of China, Weijie Zhang Jiangsu University of Science and Technology, Feng Luo Hong Kong Polytechnic University, Zheyuan He University of Electronic Science and Technology of China, Yi Lu BitsLab, Pan Li MoveBit DOI | ||
13:50 20mTalk | FunRedisp: Reordering Function Dispatch in Smart Contract to Reduce Invocation Gas Fees Technical Papers Yunqi Liu Nanjing University of Science and Technology, Wei Song Nanjing University of Science and Technology DOI | ||
14:10 20mTalk | Identifying Smart Contract Security Issues in Code Snippets from Stack OverflowACM SIGSOFT Distinguished Paper Award Technical Papers Jiachi Chen Sun Yat-sen University, Chong Chen Sun Yat-sen University, Jiang Hu Sun Yat-sen University, John Grundy Monash University, Yanlin Wang Sun Yat-sen University, Ting Chen University of Electronic Science and Technology of China, Zibin Zheng Sun Yat-sen University DOI Pre-print | ||
14:30 20mTalk | Midas: Mining Profitable Exploits in On-Chain Smart Contracts via Feedback-Driven Fuzzing and Differential Analysis Technical Papers Mingxi Ye Sun Yat-sen University, Xingwei Lin Zhejiang University, Yuhong Nan Sun Yat-sen University, Jiajing Wu Sun Yat-sen University, Zibin Zheng Sun Yat-sen University DOI | ||