A Deep Dive: A Comprehensive Review of Technological Innovations and Security Incidents in the Move Ecosystem in 2024
TechFlow Selected TechFlow Selected
A Deep Dive: A Comprehensive Review of Technological Innovations and Security Incidents in the Move Ecosystem in 2024
The Move ecosystem is gradually building a blockchain development model that emphasizes both technological innovation and security, laying the foundation for the future evolution of blockchain technology.
Navigating Web3 tides with focused insightsThe Move programming language has brought transformative change to blockchain smart contracts through its unique resource management design, security-first architecture, and modular development model. Driven by these innovations, emerging blockchains have achieved breakthroughs in high performance and scalability via technologies such as parallel execution, object-centric design, and horizontal scaling. However, as the Move ecosystem continues to expand, its security has faced real-world challenges. Denial-of-service vulnerabilities exposed in 2023 and 2024 highlighted the delicate balance between complexity and security in blockchain systems. Through timely vulnerability fixes, strengthened permission management, and advancements in code verification, the Move ecosystem is gradually building a blockchain development model that values both technological innovation and security, laying the foundation for the future evolution of blockchain technology.
Move Programming Language: A Revolutionary Force in Blockchain Smart Contracts
Before diving into specific technological innovations within the Move ecosystem, it's essential to first understand its foundation—the Move programming language. As a disruptive force in blockchain smart contract development, Move not only redefines the possibilities of resource management and modular development but also provides a solid technical backbone for related public chain projects through its security-first design philosophy. In the following sections, we will analyze in detail the unique advantages of the Move language and how associated chains and projects leverage innovative smart contract architectures to demonstrate the immense potential of the Move ecosystem.
Originally developed by Facebook (now Meta) for the Diem (Libra) project, Move was designed to overcome performance and security bottlenecks inherent in traditional smart contract languages. Move emphasizes explicitness and security in resource handling, ensuring controllability over every state transition on the blockchain. This innovative programming language offers several key advantages:
Resource Management Model: Move treats digital assets as resources that cannot be copied or destroyed. This unique model prevents common issues in smart contracts such as double-spending or accidental asset destruction.
Modular Design: Move enables smart contracts to be built in a modular fashion, improving code reuse and reducing development complexity.
High Security: Move incorporates extensive security checks at the language level, preventing common vulnerabilities like reentrancy attacks.
In summary, the Move programming language sets a new standard for blockchain smart contract development with its innovative design principles and strong technical strengths. By treating assets as non-duplicable and non-destroyable resources, Move significantly enhances the security of resource management. Its modular design offers developers greater flexibility and improved development efficiency. Meanwhile, built-in multi-layered security checks effectively prevent common smart contract vulnerabilities. These features not only resolve performance and security limitations of traditional smart contract languages but also provide a core technological foundation for emerging public chains, driving efficient and secure growth across the blockchain ecosystem.
Security Incidents in the Move Ecosystem
As the Move ecosystem evolves, it faces significant security challenges alongside its technological innovations. From core virtual machine designs to network-level operational mechanisms, security issues have become critical factors affecting the ecosystem’s stable development. Two major security incidents in recent years—the infinite recursion vulnerability in 2023 and the mempool DoS vulnerability in 2024—not only revealed underlying risks but also underscored the importance of security research and prompt vulnerability remediation within the ecosystem. Thanks to close collaboration between development teams and third-party security firms, these issues were swiftly addressed, establishing a more secure foundation for the continued growth of the Move ecosystem.
Image Source:
https://www.bankless.com/sui-vs-aptos
Detailed incident summaries are as follows:
In June 2023, a critical denial-of-service vulnerability was discovered in the Move Virtual Machine (Move VM), which could potentially cause network-wide outages on chains like Sui and Aptos, and even lead to hard forks. Security researcher poetyellow publicly disclosed details after discovery. However, the Move VM team had independently identified the same issue earlier and spent over a month developing a fix.
This vulnerability was an infinite recursion flaw—a common type of DoS vulnerability in programming where recursive function calls exhaust the call stack, leading to crashes. Even memory-safe languages like Rust are susceptible to such issues.
In September 2024, MoveBit successfully identified and assisted in patching a High-severity mempool DoS vulnerability in the Aptos network. Due to an inadequate transaction eviction mechanism in the mempool, up to 90% of legitimate transactions could be rejected by nodes. The Aptos team resolved the issue in version v1.19.1, publicly acknowledging MoveBit’s contribution in their release notes.
From infinite recursion flaws to mempool DoS attacks, these security events in the Move ecosystem reveal hidden risks behind technological innovation while demonstrating the ecosystem’s capacity for rapid response and remediation. However, addressing security challenges requires more than just fixing individual incidents—it demands systematic optimization at the architectural and language-design levels. Next, we will explore ongoing security concerns within the Move ecosystem from multiple dimensions including resource management, access control, and code auditing, analyzing how it balances technological advancement with robust security protection.
Security Observations in the Move Ecosystem
The emergence of the Move language has introduced a novel approach to smart contract programming in the blockchain ecosystem, primarily adopted by public chains such as Aptos and Sui. Designed with security as a core principle, Move leverages resource management, static typing, and memory safety mechanisms to prevent common vulnerabilities. Nevertheless, as the ecosystem expands, certain security domains require sustained attention:
Resource Management and State Consistency: Move’s unique resource types allow developers to explicitly manage asset ownership within contracts, reducing risks such as asset loss or reentrancy attacks. However, complex logic around resource transfers can introduce new errors. Ensuring effective lifecycle management of resources and preventing transfer-related vulnerabilities remains crucial.
Permission Control and Access Management: While modular development in the Move ecosystem facilitates component reuse, proper access control for modules is vital. Developers must strictly limit permissions for sensitive operations, ensuring that module functionalities and access levels are logically sound and resistant to exploitation by attackers leveraging high-privilege modules.
Security Audits and Code Verification: The growing complexity of Move code increases the difficulty of auditing. Continuous security audits and formal verification are necessary to detect risks such as overflows and logical flaws. Standardized audit processes and regular code reviews help ensure the long-term security of the Move ecosystem.
In conclusion, the introduction of the Move programming language marks a significant milestone in the evolution of blockchain smart contracts. Its distinctive resource management model, security-first design philosophy, and modular development paradigm address multiple limitations of traditional smart contract languages in terms of performance, security, and flexibility. By treating assets as non-duplicable and non-destroyable resources, Move effectively mitigates common security threats like double-spending. At the same time, modular design enables more efficient code reuse and reduced complexity for developers. On Move-based public chains like Aptos and Sui, innovative technologies—including parallel execution engines, object-centric data models, and horizontal scaling—deliver unprecedented levels of performance and scalability. Together, these advances signify that the Move ecosystem is reaching new heights in blockchain innovation.
Yet, as the Move ecosystem rapidly expands, security concerns have begun to surface. Two critical incidents in 2023 and 2024—the infinite recursion vulnerability and the mempool DoS flaw—highlight the intricate balance between system complexity and security assurance. Despite these challenges, the Move ecosystem has demonstrated strong capabilities in responding to threats through timely patching, enhanced permission controls, and progress in code verification. As an industry-leading security audit firm, BitsLab remains committed to delivering comprehensive protection, supporting the healthy development of the Move ecosystem and the broader blockchain industry. We ensure that technological innovation and security safeguards advance hand-in-hand, paving the way for the next generation of blockchain technology.
To read our full report, please click:
https://bitslab.xyz/reports-page
About BitsLab
BitsLab is a security organization dedicated to safeguarding and building emerging Web3 ecosystems, with a vision to become a trusted and respected leader in Web3 security. It operates three sub-brands: MoveBit, ScaleBit, and TonBit. BitsLab specializes in infrastructure development and security auditing for emerging ecosystems, covering networks including Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer, and Solana. Additionally, BitsLab demonstrates deep expertise in auditing various programming languages such as Circom, Halo2, Move, Cairo, Tact, FunC, Vyper, and Solidity.
MoveBit (Mobisec), the flagship brand under BitsLab, focuses exclusively on blockchain security in the Move ecosystem. By pioneering the use of formal verification, MoveBit aims to make the Move ecosystem the most secure Web3 environment. MoveBit has collaborated with numerous globally recognized projects, delivering comprehensive security audit services. The MoveBit team comprises renowned security experts from academia and industry leaders with over a decade of experience, publishing cutting-edge research at top-tier international security conferences such as NDSS and CCS. As early contributors to the Move ecosystem, they have worked alongside Move developers to establish standards for secure Move applications. MoveBit has also uncovered multiple vulnerabilities in the Sui, Movement, and Aptos ecosystems, including high-risk flaws in the Aptos network, earning official recognition and thanks from the Aptos team.
As a leader in blockchain security, BitsLab has provided audit services for flagship projects such as Movement, Aptos Framework, Catizen, Synthetix, Tether, Cetus, UniSat, Nervos CKB, iZUMI Finance, and Pontem. To date, BitsLab has delivered over 400 security solutions, audited more than 400,000 lines of code, protected digital assets worth over $8 billion, and secured operations for over 2 million users worldwide. These achievements reflect BitsLab’s unwavering commitment to high-quality audit services and set industry benchmarks in blockchain security.
Furthermore, the BitsLab team includes multiple elite vulnerability researchers who have won awards in international CTF competitions and discovered critical vulnerabilities in prominent projects such as TON, Aptos, Sui, Nervos, OKX, and Cosmos. BitsLab will continue to deepen its expertise in Web3 security, supporting the sustainable growth of emerging blockchain ecosystems.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@0xbitslab
