# Auditing Move Contracts: A Comprehensive Guide 

By [ChaosSR](https://paragraph.com/@chaossr) · 2025-02-09

---

**I reached out to experienced Solidity auditors and Move developers with a simple question: _What should auditors know about Move? Here is the Answer._**

Why this matters to you
-----------------------

For Solidity auditors, it’s a goldmine due to the lack of experts and the rapid growth of ecosystems like **Sui** and **Aptos** and **multiVm’s** . Move’s **resource-oriented** programming reduces common vulnerabilities but introduces new challenges.

What to Expect
--------------

This article provides a foundational guide to auditing Move-based smart contracts, specifically tailored for Aptos. Whether you’re a developer, auditor, or blockchain enthusiast, you’ll find:

*   How Move auditing differs from Solidity auditing.
    
*   Why audits are critical even in a "safe-by-design" language.
    
*   Common vulnerabilities in Move codebases.
    
*   Tools and resources to kickstart your Move auditing journey.
    

Why Move’s Design Matters for Auditing
--------------------------------------

Move’s architecture introduces security properties that differ notably from Solidity:

*   **Arithmetic and Precision**: Arithmetic operations (such as overflow/underflow) are checked during VM execution, and division is integer-based (e.g., 10/3 gives 3), which is important to understand when auditing numeric logic.
    
*   **Control Flow & Access**: Function visibility (private, public(friend), and entry) and access control mechanisms in Move are stricter and more explicit than in Solidity.
    
*   **Resource Safety**: Digital assets in Move are modeled as resources that cannot be copied or dropped arbitrarily. This “linearity” guarantees that tokens or critical data are never duplicated or accidentally destroyed.
    
*   **Built-in Verification**: The Move Virtual Machine (VM) performs bytecode verification to enforce memory safety and type safety before execution.
    
*   **Static Call Semantics**: Unlike Solidity, Move does not support dynamic dispatch or fallback functions. Reentrancy attacks are impossible by design.
    

![features of move ](https://storage.googleapis.com/papyrus_images/5098a5ffd041de171126c963eb175463e93f1bf149c886cc518b8d226ab2d33e.png)

features of move

and you can read more about what make move secure here :

[https://pontem.network/posts/what-makes-move-safe](https://pontem.network/posts/what-makes-move-safe)

If Move Is Secure, Why Do We Need to Audit the Protocol and Why Do We Need Auditors?
------------------------------------------------------------------------------------

Even though Move is designed for safety:

*   **Human Error & Business Logic**: No language is immune to mistakes. Developers can still write flawed business logic or misconfigure permissions.
    
*   **Implementation Vulnerabilities**: The VM or its verifier may harbor subtle bugs. For instance, past vulnerabilities in the Move bytecode verifier on Aptos highlight that even “secure-by-design” systems need independent review.
    
*   **Language Novelty**: Move is relatively new, and developers might misuse built-in functions, leading to bugs. You can check previous audit reports (e.g., OtterSec) for examples.
    

Move vs. Solidity Auditing: Key Differences
-------------------------------------------

### **Eliminated Solidity-Specific Risks**

**Reentrancy**: Impossible due to static calls and the absence of fallback functions.

**Overflow/Underflow**: Caught by the MoveVM during execution.

    fun overflow(): u8 {
       let num: u8 = 255;
       num = num + 1;
       return num // Arithmetic error caught by the VM execution
    }
    

**Unchecked External Calls**: Move has no equivalent to Solidity's `delegatecall`.

### **Shared Risks**

**Access Control**: Misconfigured permissions can expose sensitive operations.

**Integer Division**: Incorrect calculations can occur. Use the `bigDecimals` module for precise calculations.

    public fun division_precision() {
        let amount = 10 / 3;
        debug::print<u8>(&amount); // Outputs 3 instead of 3.3333
    }
    

**Denial-of-Service (DoS)**: Infinite loops or excessive gas consumption can occur (Aptos uses gas similarly to Ethereum).

**Oracle Manipulation**: Reliance on external data remains a risk.

Is Rust Required?
-----------------

No! Move is a separate language with syntax inspired by Rust, but auditing focuses on Move itself. Rust knowledge may help with deeper VM insights but isn’t mandatory.

Learning Resources
------------------

*   **Audit Reports**: Analyze findings from [OtterSec](https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772) and [Halborn](https://halborn.com/).
    
*   **Move Audit Resources**: A curated collection of the best resources for Move auditing [0xriazaka’s GitHub](https://github.com/0xriazaka/Move-Audit-Resources).
    
*   **Monethic Articles**: Deep dives into Move security on [Medium](https://medium.com/@monethic).

---

*Originally published on [ChaosSR](https://paragraph.com/@chaossr/auditing-move-contracts-a-comprehensive-guide)*