This article is reposted from Chaincatcher.
Move is a language that cannot be ignored by Web3 developers. With its strong type system and resource semantics, it is very “hardcore” in terms of asset ownership, illegal transfers, data races, and more. Ecosystems like Sui and Aptos are placing more and more key assets and core protocols on Move, precisely because the core features of the Move language enable the establishment of safer and lower-risk smart contracts.
However, what we have observed in long-term audits and offensive-defensive practices is that a significant portion of tricky issues often does not occur in obvious places like “syntax errors” or “type mismatches,” but rather at more complex and realistic system levels—cross-module interactions, permission assumptions, state machine boundaries, and those sequences of calls that seem reasonable at each step but can be exploited when combined. Therefore, even though the Move language has a more complete security paradigm, significant attack incidents have still occurred within its ecosystem. Clearly, security research on Move still needs to advance further.
We have identified a core issue: there is a lack of an effective fuzzing tool for the Move language. Because Move has stricter constraints, traditional smart contract fuzzing faces a tricky pain point in the Move scenario: generating transaction sequences that are both “type correct” and “semantically reachable” is very complex. If the input is not precise enough, the call cannot be completed; if the call cannot be made, deep branches cannot be covered, and critical states cannot be reached, making it easier to miss the paths that can actually trigger vulnerabilities.
Based on this long-term pain point, we collaborated with a university research team to jointly complete and publish our research results:
“Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts”
arXiv:2512.02918 (preprint)
Paper link: https://arxiv.org/abs/2512.02918
This paper is currently published on arXiv as a preprint, which means it allows the community to see research progress and provide feedback more quickly. We are submitting this work to PLDI’26 and awaiting the peer review process. Once the submission results are confirmed and the peer review is completed, we will promptly update relevant progress.
Making Fuzzing Truly “Run into” Move: From Random Trial and Error to Type Guidance
The core idea of Belobog is straightforward: since the type system of Move is its foundational constraint, fuzzing should treat types as navigation rather than obstacles.
Traditional approaches often rely on random generation and mutation, but on Move, this quickly generates a large number of invalid samples: type mismatches, unreachable resources, incorrectly constructed parameters, and bottlenecks in the call chain—ultimately, what you get is not test coverage, but a bunch of “failures right from the start.”
Belobog’s approach is more like equipping the fuzzer with a “map.” It starts from the type system of Move to construct a type graph based on type semantics for the target contract, and then generates or mutates transaction sequences based on this graph. In other words, it does not blindly concatenate calls but constructs more reasonable, executable, and deeper-reaching combinations of calls along type relationships.
For security research, this change brings not “fancier algorithms,” but very simple yet crucial benefits:
a higher proportion of valid samples, greater exploration efficiency, and a better chance of reaching those deep paths where real vulnerabilities often appear.
Facing Complex Constraints: Belobog Introduces Concolic Execution to “Open the Door”
In real Move contracts, key logic is often surrounded by layers of checks, assertions, and constraints. If you rely solely on traditional mutation, you can easily bump back and forth at the door: conditions are never satisfied, branches cannot be entered, and states cannot be reached.
To solve this problem, Belobog further designed and implemented concolic execution (a hybrid execution of concrete execution and symbolic reasoning). Simply put:
On one hand, it maintains “executable” concrete execution, while on the other hand, it uses symbolic reasoning to more purposefully approach those branch conditions, thus more effectively penetrating complex checks and advancing coverage depth.
This is particularly important for the Move ecosystem because the “sense of security” in Move contracts is often built on multiple layers of constraints, while the real problems often hide in the gaps between those constraints. What Belobog aims to do is push testing closer to these gaps.
Aligning with the Real World: Not Just Running a Demo, But Approaching Real Attack Paths
We do not want this kind of work to stop at “being able to run a demo.” Belobog’s evaluation directly targets real projects and real vulnerability conclusions. According to the experimental results in the paper: Belobog was evaluated on 109 real-world Move smart contract projects, and the experimental results show that Belobog can detect 100% of Critical vulnerabilities and 79% of Major vulnerabilities confirmed by human security experts.
What is even more noteworthy is that Belobog can reproduce complete exploits in real on-chain events without relying on prior vulnerability knowledge. The value of this capability lies in its closer alignment with the situations we face in real offensive and defensive scenarios: attackers do not succeed through “single-point function errors,” but through complete paths and state evolutions.
This Work Aims to Convey More Than Just “Creating a Tool”
This paper is worth reading not just because it proposes a new framework, but because it represents a more pragmatic direction: abstracting frontline security experiences into reusable methods and implementing them with verifiable engineering.
We believe the significance of Belobog lies not in “another fuzzer,” but in making fuzzing more aligned with reality on Move—capable of running in, going deep, and being closer to real attack paths. Belobog is not a closed tool designed for a few security experts, but a developer-friendly framework: it aims to lower the barrier to use, allowing developers to continuously integrate security testing into familiar development processes, rather than treating fuzzing as a one-time, post-factum task.
We will also release Belobog as an open-source project, hoping it will become an infrastructure that the community can use, extend, and evolve together, rather than remaining an experimental project at the “tool level.”
Paper (preprint): https://arxiv.org/abs/2512.02918
(This work is also being submitted to PLDI’26 and is awaiting peer review.)
About MoveBit
MoveBit (Mobius Security), a sub-brand of BitsLab, is a blockchain security company focused on the Move ecosystem, aiming to make the Move ecosystem the safest Web3 ecosystem by pioneering the use of formal verification. MoveBit has collaborated with several well-known projects globally and provides comprehensive security audit services to its partners. The MoveBit team consists of leading figures in security from academia and industry, with 10 years of security experience, publishing security research results at top international security conferences such as NDSS and CCS. They are also among the earliest contributors to the Move ecosystem, working with Move developers to establish standards for secure Move applications.
Disclaimer: This article is reposted content and reflects the opinions of the original author. This content is for educational and reference purposes only and does not constitute any investment advice. Digital asset investments carry high risk. Please evaluate carefully and assume full responsibility for your own decisions.
Join MEXC and Get up to $10,000 Bonus!
Sign Up
