Author: BitsLab
As a language that Web3 developers cannot ignore, Move stands out for its strong type system and resource semantics, making it extremely robust in areas such as asset ownership, illegal transfers, and data races.
Ecologies like Sui and Aptos are placing more and more critical assets and core protocols on Move, precisely because the core features of the Move language enable the creation of safer smart contracts with lower risk.
However, in our long-term auditing and offensive-defensive practices, we have observed that a significant portion of tricky issues often do not occur at obvious spots like "syntax errors" or "type mismatches," but rather at more complex and realistic system levels—cross-module interactions, permission assumptions, state machine boundaries, and those invocation sequences where each step seems reasonable individually but can be exploited when combined.
For this reason, even though the Move language has a more comprehensive security paradigm, there have still been major attack incidents within its ecosystem. Clearly, security research on Move needs to go further.
We have identified a core issue: there is a lack of effective fuzzing tools for the Move language. Because Move imposes stricter constraints, traditional smart contract fuzzing faces a tough challenge in the Move context: generating transaction sequences that are both "type-correct" and "semantically reachable" is extremely complex. If the input is not precise enough, the call cannot be completed; without the call, deep branches and critical states cannot be covered, making it easier to miss the paths that can actually trigger vulnerabilities.
Based on this long-standing pain point, we collaborated with academic research teams to jointly complete and release the following research result:
《Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts》
arXiv:2512.02918 (preprint)
Paper link:
This paper is currently published on arXiv as a preprint, which means the community can see research progress and provide feedback more quickly. We are submitting this work to PLDI’26 and are awaiting the peer review process. Once the submission result is confirmed and peer review is completed, we will promptly share relevant updates.
Making Fuzzing Truly "Reach" Move: From Random Trial-and-Error to Type-Guided
The core idea of Belobog is straightforward: since Move’s type system is its fundamental constraint, fuzzing should use types as navigation rather than as obstacles.
Traditional approaches often rely on random generation and mutation, but on Move, this quickly produces a large number of invalid samples: type mismatches, unreachable resources, parameters that cannot be constructed correctly, and bottlenecks in the call chain—ultimately, what you get is not test coverage, but a pile of "failures at the starting line."
Belobog’s approach is more like giving the fuzzer a "map." Starting from Move’s type system, it builds a type graph based on type semantics for the target contract, and then generates or mutates transaction sequences based on this graph. In other words, it does not blindly concatenate calls, but constructs more reasonable, executable, and state-space-penetrating call combinations along type relationships.
For security research, this change does not bring "fancier algorithms," but rather a very simple yet crucial benefit:
A higher proportion of valid samples, higher exploration efficiency, and a greater chance of reaching those deep paths where real vulnerabilities often occur.
Facing Complex Constraints: Belobog Introduces Concolic Execution to "Open the Door"
In real Move contracts, key logic is often surrounded by layers of checks, assertions, and constraints. If you rely solely on traditional mutation, you can easily get stuck at the threshold: conditions are never met, branches are never entered, and states are never reached.
To solve this problem, Belobog further designs and implements concolic execution (a hybrid of concrete execution and symbolic reasoning). Simply put:
On one hand, it maintains concrete execution that "can run," and on the other, it uses symbolic reasoning to more purposefully approach those branch conditions, thereby more effectively penetrating complex checks and advancing coverage depth.
This is especially important for the Move ecosystem, because the "sense of security" in Move contracts is often built on multiple layers of constraints, while real problems often hide in the gaps between these constraints. What Belobog aims to do is push testing closer to these gaps.
Aligning with the Real World: Not Just Running Demos, But Approaching Real Attack Paths
We do not want this kind of work to stop at "being able to run demos." Belobog’s evaluation is directly aimed at real projects and real vulnerability conclusions. According to the experimental results in the paper: Belobog was evaluated on 109 real-world Move smart contract projects, and the results show that Belobog can detect 100% of Critical vulnerabilities and 79% of Major vulnerabilities confirmed by manual security expert audits.
More notably: Belobog, without relying on prior vulnerability knowledge, can reproduce full exploits in real on-chain events. The value of this capability is that it is closer to what we face in real-world offensive and defensive scenarios: attackers do not succeed by exploiting a "single function error," but by leveraging complete paths and state evolution.
The Purpose of This Work Is Not Just "Building a Tool"
This paper is worth reading not just because it proposes a new framework, but because it represents a more pragmatic direction: abstracting frontline security experience into reusable methods and implementing them with verifiable engineering.
We believe the significance of Belobog is not in being "just another fuzzer," but in making fuzzing on Move closer to reality—able to reach, able to go deep, and closer to real attack paths. Belobog is not a closed tool designed for a handful of security experts, but a developer-friendly framework: it lowers the usage threshold as much as possible, allowing developers to continuously introduce security testing into familiar development processes, rather than making fuzzing a one-off, post-hoc task.
We will also release Belobog as open source, hoping it will become infrastructure that the community can jointly use, extend, and evolve, rather than remaining an experimental project at the "tool layer."
Paper (preprint):
(At the same time, this work is being submitted to PLDI’26 and is awaiting peer review.)
About MoveBit
MoveBit, a sub-brand of BitsLab, is a blockchain security company focused on the Move ecosystem, pioneering the use of formal verification to make the Move ecosystem the safest Web3 ecosystem. MoveBit has successively cooperated with many well-known projects worldwide and provided comprehensive security audit services for its partners. The MoveBit team consists of leading security experts from academia and industry, with 10 years of security experience and security research results published at top international security conferences such as NDSS and CCS. They are also among the earliest contributors to the Move ecosystem, working with Move developers to jointly establish standards for secure Move applications.
