In-depth analysis in one article: A panoramic review of technological innovation and security incidents in the Move ecosystem in 2024

The Move programming language is designed with resource management in mind.SafetyThe priority architecture and modular development model areBlockchainintelligentcontractIt has brought about disruptive changes. Driven by it, emerging public chains have achieved breakthroughs in high performance and scalability through innovative technologies such as parallel execution, object-centric design, and horizontal expansion. However, as the Move ecosystem continues to expand, itsSafetyThe denial of service vulnerabilities exposed in 2023 and 2024 revealedBlockchain系统中复杂性与Safety性之间的平衡难题。通过及时修复漏洞、强化权限管理和推进代码验证，Move 生态正在逐步构建一个技术创新与安全并重的BlockchainDevelopment model, laying the foundation for the future evolution of blockchain technology.

Move Programming Language: Blockchain IntelligencecontractThe innovative power

Before we delve into the specific technological innovations in the Move ecosystem, we need to first understand the foundation of this ecosystem - the Move programming language.contractMove is a disruptive force in development. It not only redefines the possibilities of resource management and modular development, but also provides a solid technical foundation for related public chain projects in the ecosystem through its security-first design concept. Next, we will analyze in detail the unique advantages of the Move language, and how related public chains and projects can successfully demonstrate the huge potential of the Move ecosystem through innovative smart contract architecture.

Move was originally developed by Facebook (now Meta) for the Diem (Libra) project to address the performance and security bottlenecks of traditional smart contract languages. Move's design emphasizes the clarity and security of resources to ensure the controllability of each state change on the blockchain. This innovative programming language has the following significant advantages:

Resource Management Model：Move treats assets as resources, making them non-copyable or non-destructible. This unique resource management model avoids the double-spending or accidental destruction of assets problems common in smart contracts.

Modular design：Move allows smart contracts to be built in a modular way, improving code reusability and reducing development complexity.

High security: Move has a large number of built-in security check mechanisms at the language level to prevent common security vulnerabilities, such as reentrancy attacks.

In summary, the Move programming language has set a new standard for blockchain smart contract development with its innovative design concept and powerful technical advantages. By treating assets as resources that cannot be copied or destroyed, Move greatly improves the security of resource management; its modular design brings developers greater flexibility and development efficiency. At the same time, the built-in multiple security check mechanism effectively avoids common smart contract vulnerability problems. These features not only solve the performance and security bottlenecks of traditional smart contract languages, but also provide a technical core for related emerging public chains, promoting the efficient and secure development of the blockchain ecosystem.

Security incidents in the Move ecosystem

As the Move ecosystem continues to develop, it also faces many security challenges while innovating in technology. From the core design of the virtual machine to the specific network operation mechanism, security issues have become an important factor affecting the stable development of the ecosystem. In recent years, two major security incidents in the Move ecosystem - the infinite recursion vulnerability in 2023 and the memory pool DoS vulnerability in 2024 - not only exposed the potential risks of the system, but also highlighted the importance of security research and vulnerability repair in the ecosystem. Through the close cooperation between the development team and third-party security agencies, these problems were solved in a timely manner, laying a security foundation for the further development of the Move ecosystem.

Image Source:

https://www.bankless.com/sui-vs-aptos

The specific security incident details are as follows:

In June 2023, a serious denial of service vulnerability was discovered in the Move virtual machine, which could cause the entire public chain such as Sui and Aptos to crash, and even cause a hard fork. After discovering the vulnerability, security researcher poetyellow published relevant details. However, the Move virtual machine development team also independently discovered the vulnerability and spent more than a month to fix it.

This vulnerability is an infinite recursion vulnerability. In programming languages, stack overflow caused by infinite recursive function calls is a common DoS vulnerability type, and even the safe Rust language cannot escape it.

In September 2024, MoveBit successfully discovered and assisted in fixing a memory pool DoS vulnerability in the Aptos network, which was rated as High. This vulnerability may cause up to 90% normal transactions to be rejected by nodes due to the imperfect memory pool transaction eviction mechanism. The Aptos team has v1.19.1The vulnerability was fixed in version 1.0, and MoveBit was thanked for its contribution in the official release notes.

From infinite recursion vulnerabilities to memory pool DoS vulnerabilities, these security incidents in the Move ecosystem reveal the potential security risks behind technological innovation, and also demonstrate the ability to respond and repair quickly in the ecosystem. However, solving security challenges not only depends on the handling of single events, but also requires systematic optimization from the overall architecture and language design level. Next, we will explore the Move ecosystem's continued focus on security from multiple dimensions such as resource management, permission control, and code auditing, and analyze how it can find a balance between technological development and security protection.

Security observation of Move ecosystem

The emergence of the Move language provides a new way of smart contract programming for the blockchain ecosystem, which is mainly used on public chains such as Aptos and Sui. The original intention of the Move language is to focus on security, and prevent common vulnerabilities through its resource management, static type system and memory management. However, as the ecosystem continues to expand, Move still needs to focus on specific security areas:

Resource Management and State Consistency：Move's unique resource type allows developers to explicitly manage asset ownership in the contract. Although this reduces the risk of asset loss or reentry attacks, complex resource transfer and management logic may introduce new errors. Ensuring the effectiveness of resource lifecycle management and avoiding resource transfer vulnerabilities are key.

Permission Control and Access Management：The modular development of the Move ecosystem facilitates component reuse, but module access control is crucial. Developers should strictly limit permissions for sensitive operations, ensure the rationality of module functions and access levels, and prevent attackers from using high-authority contract modules to perform operations.

Security audits and code verification：The complexity of Move code increases the difficulty of auditing, and continuous security audits and formal verification are required to ensure that the code does not contain common risks such as overflows and logical errors. Standardized audit processes and regular code backtracking help ensure the long-term security of the Move ecosystem.

Finally, we conclude that the launch of the Move programming language marks a major innovation in the field of blockchain smart contracts. Its unique resource management model, security-first design concept, and modular development approach solve the multiple bottlenecks of traditional smart contract languages in terms of performance, security, and flexibility. By treating assets as resources that cannot be copied or destroyed, Move effectively avoids common security issues such as double payments; at the same time, the implementation of modular design enables developers to reuse code more efficiently and reduce complexity. On public chains based on the Move language such as Aptos and Sui, the innovative parallel execution engine, object-centric design, and horizontal expansion technology have brought unprecedented high performance and scalability to the blockchain. All this indicates that the Move ecosystem is technically moving towards a new peak in the development of blockchain.

However, with the rapid expansion of the Move ecosystem, security issues have gradually emerged. Two key security incidents in 2023 and 2024, the infinite recursion vulnerability and the memory pool DoS vulnerability, revealed the delicate balance between complexity and security in blockchain systems. Despite this, the Move ecosystem has demonstrated its efficient ability to respond to security challenges through timely vulnerability repairs, enhanced permission management, and advancement of code verification. As a senior security audit company in the industry, BitsLab has always been committed to providing comprehensive security protection to safeguard the healthy development of the Move ecosystem and the blockchain industry, ensure that technological innovation and security protection can be promoted in parallel, and promote the future evolution of blockchain technology.

To read our full report please click:

https://bitslab.xyz/reports-page

About BitsLab

BitsLab is a security organization dedicated to protecting and building the emerging Web3 ecosystem. Its vision is to become a Web3 security organization respected by the industry and users. It has three sub-brands: MoveBit, ScaleBit and TonBit. BitsLab focuses on infrastructure development and security auditing of emerging ecosystems, covering but not limited to Sui, Aptos, TON, Linea, BNB Chain, Soneium, Starknet, Movement, Monad, Internet Computer and Solana. At the same time, BitsLab has demonstrated deep expertise in auditing multiple programming languages, including Circom, Halo2, Move, Cairo, Tact, FunC, Vyper and Solidity.

As a leader in blockchain security, BitsLab has provided support for Movement, Aptos Framework, Catizen, Synthetix, TethBitsLab provides security audit services for multiple flagship projects such as BitsLab, Cetus, UniSat, Nervos CKB, iZUMI Finance, and Pontem. To date, BitsLab has delivered more than 400 security solutions, audited 400,000 lines of code, protected assets worth more than $8 billion, and provided security for more than 2 million users worldwide. These achievements fully demonstrate BitsLab's commitment to high-quality audit services and set the security standard for the blockchain industry.

In addition, the BitsLab team brings together many top vulnerability research experts who have won international CTF awards many times and have participated in well-known projects such as TON, Aptos, Sui, Nervos, OKX and Cosmos.Xiaobai NavigationCritical vulnerabilities were found in the . BitsLab will continue to delve into the field of Web3 security and promote the healthy development of the emerging ecosystem.

The article comes from the Internet:In-depth analysis in one article: A panoramic review of technological innovation and security incidents in the Move ecosystem in 2024

Related recommendations: The demise of decentralization and the concentration of power: US capital is about to complete the transfer of rights to the crypto utopia

Medicines are poisonous to some extent. The continuous influx of funds into ETFs is just a pain-relieving capsule that cannot completely cure the disease. Author: YBB Capital Researcher Ac-Core TL;DR ● In the long run, Bitcoin through ETFs is not a good thing. There is a huge gap between the trading volume of Hong Kong Bitcoin ETFs and that of the United States Bitcoin ETFs. There is no doubt that US capital is…