MoveBit Research Release | Belobog: A Move Fuzzing Framework for Real-World Attacks

marsbit發佈於 2025-12-16更新於 2025-12-16

文章摘要

MoveBit introduces Belobog, a novel fuzzing framework designed specifically for Move smart contracts to address security challenges beyond syntax and type errors. Unlike traditional fuzzing methods that struggle with Move’s strong type system and resource semantics, Belobog leverages type-guided input generation and mutation. It constructs a type graph to produce semantically valid and executable transaction calls, significantly improving the efficiency and depth of state exploration. The framework integrates concolic execution (combining concrete and symbolic execution) to penetrate complex constraints and branch conditions, enabling deeper coverage of potential vulnerabilities. Evaluated on 109 real-world Move contracts, Belobog detected 100% of Critical and 79% of Major vulnerabilities confirmed by manual audits. It also demonstrated the ability to reproduce full exploit paths without prior knowledge of vulnerabilities. Designed to be developer-friendly, Belobog will be released as open-source to encourage community adoption and extension. The work is currently under peer review for PLDI’26. Preprint: https://arxiv.org/abs/2512.02918

Move, as a language that Web3 developers cannot afford to ignore, is particularly "hardcore" in its strong type system and resource semantics, especially regarding asset ownership, illegal transfers, and data races. Ecosystems like Sui and Aptos place increasingly important assets and core protocols on Move precisely because of its core language features, which enable the creation of more secure and lower-risk smart contracts.

However, the reality we've observed through long-term auditing and offensive/defensive practices is that a significant portion of thorny issues often do not occur in obvious places like "syntax errors" or "type mismatches," but rather at more complex, real-world levels—cross-module interactions, permission assumptions, state machine boundaries, and those call sequences that seem reasonable step-by-step but can be exploited when combined. Precisely because of this, even though the Move language has more robust security paradigms, there have still been significant attack incidents within its ecosystem. Clearly, security research for Move needs to go further.

We identified a core problem: the lack of an effective fuzzing tool for the Move language. Because Move has stronger constraints, traditional smart contract fuzzing faces a tricky pain point in the Move context: generating transaction sequences that are both "type-correct" and "semantically reachable" is very complex. If the input isn't precise enough, the call cannot be completed; if the call cannot be made, it fails to cover deep branches and reach critical states, making it easier to miss the paths that can truly trigger vulnerabilities.

Based on this long-standing pain point, we collaborated with a university research team to jointly complete and publish our research findings:

《Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts》

arXiv:2512.02918 (Preprint)

Paper Link:https://arxiv.org/abs/2512.02918

This paper is currently published on arXiv as a preprint, its significance is to allow the community to see research progress faster and receive feedback. We are submitting this work to PLDI’26 and awaiting the peer review process. After the submission result is confirmed and peer review is completed, we will also share relevant updates promptly.

Making Fuzzing Truly "Run Into" Move: From Random Trial and Error to Type-Guided Exploration

Belobog's core idea is straightforward: since Move's type system is its fundamental constraint, fuzzing should use types as a guide, not an obstacle.

Traditional approaches often rely on random generation and mutation, but on Move, this quickly produces a large number of invalid samples: type mismatches, unreachable resources, parameters that cannot be correctly constructed, call chains with blocking points—what you end up with is not test coverage, but a pile of "failures at the starting line."

Belobog's method is more like giving the Fuzzer a "map." It starts from Move's type system, constructs a type graph based on type semantics for the target contract, and then uses this graph to generate or mutate transaction sequences. In other words, it doesn't blindly stitch calls together but constructs more reasonable, more executable, and更容易深入状态空间的调用组合 (easier to深入 state space call combinations) along type relationships.

For security research, the benefit this change brings is not a "fancier algorithm," but a very simple yet crucial gain:
Higher proportion of valid samples, higher exploration efficiency, and a better chance of reaching the deep paths where real vulnerabilities often appear.

Facing Complex Constraints: Belobog Introduces Concolic Execution to "Push Open the Door"

In real Move contracts, critical logic is often surrounded by layers of checks, assertions, and constraints. If you only rely on traditional mutation, you easily keep bumping at the door: the conditions are never met, the branches are never entered, the state is never reached.

To solve this problem, Belobog further designed and implemented concolic execution (a hybrid of concrete execution + symbolic reasoning). Simply put:

It maintains concrete execution that "can run," while on the other hand, it uses symbolic reasoning to more directionally approximate those branch conditions, thereby more effectively penetrating complex checks and advancing coverage depth.

This is particularly important for the Move ecosystem because the "sense of security" in Move contracts is often built on multiple layers of constraints, and the real problems often hide in the gaps after these constraints intersect. What Belobog wants to do is push testing near these gaps.

Aligning with the Real World: Not Just Running Demos, But Approaching Real Attack Paths

We don't want this kind of work to stop at "being able to run demos." Belobog's evaluation directly targets real projects and real vulnerability findings. According to the experimental results in the paper: Belobog was evaluated on 109 real-world Move smart contract projects. The experimental results show that Belobog was able to detect 100% of the Critical vulnerabilities and 79% of the Major vulnerabilities confirmed by manual security expert audits.

More notably: Without relying on prior vulnerability knowledge, Belobog was able to reproduce full exploits in real on-chain incidents. The value of this capability lies in the fact that it更接近我们在现实攻防里面对的情况 (closer to the situations we face in real-world offense/defense): attackers succeed not through "single-point function errors" but through complete paths and state evolution.

What This Work Aims to Express is Not Just "Making a Tool"

This paper is worth reading not only because it proposes a new framework, but because it represents a more pragmatic direction: abstracting frontline security experience into reusable methods and落地 (grounding) it with verifiable engineering implementations.

We believe the significance of Belobog lies not in being "yet another Fuzzer," but in making Fuzzing on Move closer to reality—able to run in, go deep, and align more closely with real attack paths. Belobog is not a closed tool designed for a few security experts, but a developer-friendly framework: it strives to lower the barrier to entry, allowing developers to continuously integrate security testing into their familiar development workflow, rather than making Fuzzing a one-time, after-the-fact task.

We will also release Belobog as open source, hoping it becomes infrastructure that the community can collectively use, extend, and evolve, rather than remaining an experimental project at the "tool level."

Paper (Preprint):https://arxiv.org/abs/2512.02918
(This work is also currently submitted to PLDI’26, awaiting peer review.)

About MoveBit

MoveBit (Mobi Security), a sub-brand under BitsLab, is a blockchain security company focused on the Move ecosystem, aiming to make the Move ecosystem the most secure Web3 ecosystem by pioneering the use of formal verification. MoveBit has successively cooperated with many well-known global projects and provided partners with comprehensive security audit services. The MoveBit team consists of security experts from academia and industry leaders with 10 years of security experience, having published security research results at top international security academic conferences such as NDSS and CCS. Moreover, they are early contributors to the Move ecosystem, working with Move developers to establish standards for secure Move applications.

熱門幣種推薦

相關問答

QWhat is the main challenge that traditional fuzzing tools face when applied to Move smart contracts?

ATraditional fuzzing tools struggle with generating transaction sequences that are both 'type-correct' and 'semantically reachable' in Move. Due to Move's strong type system and resource semantics, random generation and mutation produce a high volume of invalid samples, such as type mismatches, unreachable resources, and incorrectly constructed parameters. This results in many calls failing immediately, preventing deep branch coverage and making it difficult to reach critical states where real vulnerabilities often lie.

QHow does Belobog's approach differ from traditional fuzzing methods for smart contracts?

ABelobog uses Move's type system as a guide rather than an obstacle. It constructs a type graph based on the semantic relationships within the target contract and uses this graph to generate or mutate transaction sequences. This approach ensures that calls are constructed along type relationships, making them more reasonable, executable, and capable of penetrating deeper into the state space, unlike traditional methods that rely on blind, random splicing of calls.

QWhat technique does Belobog employ to handle complex constraints and branch conditions in Move contracts?

ABelobog employs concolic execution (a hybrid of concrete execution and symbolic reasoning). It maintains concrete execution to keep the program running' while using symbolic derivation to directionally approach branch conditions. This allows it to more effectively penetrate complex checks, such as assertions and constraints, and advance coverage depth, which is crucial for uncovering vulnerabilities hidden behind layered security checks in Move contracts.

QWhat were the key results of Belobog's evaluation on real-world Move smart contracts?

AIn an evaluation on 109 real-world Move smart contract projects, Belobog was able to detect 100% of the Critical vulnerabilities and 79% of the Major vulnerabilities that were confirmed by manual security audits. Notably, without relying on prior vulnerability knowledge, Belobog could also replicate full attack exploits (full exploits) from real on-chain incidents, demonstrating its ability to uncover complex attack paths that involve state evolution and multiple steps.

QHow does the Belobog team plan to release the framework, and what is its intended impact on the community?

AThe Belobog team plans to release the framework as open source. The goal is to make it a developer-friendly infrastructure that the community can collectively use, extend, and evolve, rather than keeping it as an experimental tool. By lowering the barrier to entry, it aims to integrate security testing seamlessly into developers' familiar workflows, promoting continuous security assessment rather than one-off, post-development audits.

你可能也喜歡

《天才法案》一周年:进展、差距与未来展望

《GENIUS法案》签署生效已满一年,但监管机构仍未完成其全部实施细则的制定,多项核心规则尚未最终敲定。尽管法案要求相关机构在7月18日前完成规则制定,但美国货币监理署、美联储、联邦存款保险公司、财政部等机构仍在起草关于发行方储备金、资本要求、流动性、托管和风险管理的关键法规。 目前,监管机构仍在收集公众意见,部分咨询期将持续至8月。尽管存在不确定性,各机构仍计划在2027年1月18日前开始执行该法案。在此过渡期,稳定币发行机构和金融机构不得不为一个缺乏完整细节的监管框架做准备。 未完成的规则包括储备金资格、流动性要求、托管标准和风险管理框架,这给Circle、Paxos等发行方的资本规划和运营韧性带来了挑战。尽管如此,美国稳定币市场规模已增长至约3100亿美元。 法案的推进已初步激励机构参与,贝莱德、摩根大通等机构已推出或申报了稳定币储备基金,Visa推出了服务上万机构的平台,首款银行发行的链上美元也已问世。议员辛西娅·卢米斯强调该法案是“重要的第一步”,并呼吁支持《CLARITY法案》以进一步巩固美国在数字资产领域的领导地位。 最终规则的完成进度,将直接影响受监管稳定币在美国获得广泛机构采纳的速度。

ambcrypto6 小時前

《天才法案》一周年:进展、差距与未来展望

ambcrypto6 小時前

交易

現貨

熱門文章

如何購買O

歡迎來到HTX.com!在這裡,購買O1 exchange (O)變得簡單而便捷。跟隨我們的逐步指南,放心開始您的加密貨幣之旅。第一步:創建您的HTX帳戶使用您的 Email、手機號碼在HTX註冊一個免費帳戶。體驗無憂的註冊過程並解鎖所有平台功能。立即註冊第二步:前往買幣頁面,選擇您的支付方式信用卡/金融卡購買:使用您的Visa或Mastercard即時購買O1 exchange (O)。餘額購買:使用您HTX帳戶餘額中的資金進行無縫交易。第三方購買:探索諸如Google Pay或Apple Pay等流行支付方式以增加便利性。C2C購買:在HTX平台上直接與其他用戶交易。HTX 場外交易 (OTC) 購買:為大量交易者提供個性化服務和競爭性匯率。第三步:存儲您的O1 exchange (O)購買O1 exchange (O)後,將其存儲在您的HTX帳戶中。您也可以透過區塊鏈轉帳將其發送到其他地址或者用於交易其他加密貨幣。第四步:交易O1 exchange (O)在HTX的現貨市場輕鬆交易O1 exchange (O)。前往您的帳戶,選擇交易對,執行交易,並即時監控。HTX為初學者和經驗豐富的交易者提供了友好的用戶體驗。

331 人學過發佈於 2026.06.19更新於 2026.06.29

如何購買O

如何購買PROS

歡迎來到HTX.com!在這裡,購買Pharos (PROS)變得簡單而便捷。跟隨我們的逐步指南,放心開始您的加密貨幣之旅。第一步:創建您的HTX帳戶使用您的 Email、手機號碼在HTX註冊一個免費帳戶。體驗無憂的註冊過程並解鎖所有平台功能。立即註冊第二步:前往買幣頁面,選擇您的支付方式信用卡/金融卡購買:使用您的Visa或Mastercard即時購買Pharos (PROS)。餘額購買:使用您HTX帳戶餘額中的資金進行無縫交易。第三方購買:探索諸如Google Pay或Apple Pay等流行支付方式以增加便利性。C2C購買:在HTX平台上直接與其他用戶交易。HTX 場外交易 (OTC) 購買:為大量交易者提供個性化服務和競爭性匯率。第三步:存儲您的Pharos (PROS)購買Pharos (PROS)後,將其存儲在您的HTX帳戶中。您也可以透過區塊鏈轉帳將其發送到其他地址或者用於交易其他加密貨幣。第四步:交易Pharos (PROS)在HTX的現貨市場輕鬆交易Pharos (PROS)。前往您的帳戶,選擇交易對,執行交易,並即時監控。HTX為初學者和經驗豐富的交易者提供了友好的用戶體驗。

347 人學過發佈於 2026.06.22更新於 2026.06.29

如何購買PROS

什麼是 VERONA

I. 項目介紹VERONA是第一個為大規模採用而專門建構的 L1。 它已經取得了顯著的進展,擁有數百萬用戶帳戶和超過200個應用程序的生態系統。 VERONA已從 Multicoin、Animoca、Circle、Hashkey、Spartan、Figment 等眾多頂級支持者處籌集了超過3600萬美元。 VERONA消除了所有技術複雜性,使任何用戶都能輕鬆訪問 Web3。VERONA提供了類似 Web2 的用戶體驗,利用協議級實現來處理抽象帳戶、簽名、費用、互操作性等問題,使開發者能夠構建安全、直觀且無縫的用戶體驗。II. 代幣信息1) 代幣基本信息代幣符號:VERONA(Verona)III. 相關鏈接 官網鏈接:https://xion.burnt.com/ 區塊鏈鏈接:https://explorer.burnt.com/ 白皮書鏈接:https://xion.burnt.com/whitepaper.pdf 社交媒體: https://x.com/burnt_xion 注意:項目簡介來自於官方項目團隊所發布或提供的信息資料,可能存在過時、錯誤或遺漏,相關內容僅供參考且不構成投資建議,HTX不會承擔任何依賴這些信息而產生的直接或間接損失。

301 人學過發佈於 2026.06.22更新於 2026.06.22

什麼是 VERONA

相關討論

歡迎來到 HTX 社群。在這裡,您可以了解最新的平台發展動態並獲得專業的市場意見。 以下是用戶對 A (A)幣價的意見。

活动图片