BitsLab's MoveBit Research Release | Belobog: A Move Fuzzing Framework for Real-World Attacks
TechFlow Selected TechFlow Selected
BitsLab's MoveBit Research Release | Belobog: A Move Fuzzing Framework for Real-World Attacks
MoveBit is a blockchain security company focused on the Move ecosystem, making the Move ecosystem the most secure Web3 ecosystem through pioneering the use of formal verification.
Navigating Web3 tides with focused insightsAuthor: BitsLab
Move, a language that Web3 developers cannot afford to ignore, is highly "hardcore" in its strong type system and resource semantics, particularly regarding asset ownership, illegal transfers, and data races.
Ecosystems like Sui and Aptos are placing more critical assets and core protocols on Move precisely because of Move's core features, enabling the creation of smarter contracts that are more secure and less risky.
However, from our long-term experience in auditing and offensive security practice, we observe that many challenging issues do not occur at obvious places such as "syntax errors" or "type mismatches," but rather at more complex and realistic system levels—cross-module interactions, permission assumptions, state machine boundaries, and call sequences that appear legitimate individually but can be exploited when combined.
For this reason, even though Move offers stronger security paradigms, high-impact attacks have still occurred within its ecosystem. Clearly, security research on Move must go further.
We have identified a core issue: the lack of an effective fuzzing tool for the Move language. Due to Move’s stricter constraints, traditional smart contract fuzzing faces a critical challenge in Move contexts: generating transaction sequences that are both "type-correct" and "semantically reachable" is extremely complex. Imprecise inputs fail to complete calls; failed calls mean deeper branches and critical states remain untested, making it easier to miss paths that could actually trigger vulnerabilities.
To address this long-standing pain point, we collaborated with academic research teams to jointly complete and release our research findings:
《Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts》
arXiv:2512.02918 (preprint)
Paper link: https://arxiv.org/abs/2512.02918
This paper is currently published on arXiv as a preprint, intended to allow the community to see the progress quickly and provide feedback. We are submitting this work to PLDI’26 and awaiting the peer review process. Once the submission outcome is confirmed and peer review completed, we will promptly share the relevant updates.
Enabling Fuzzing to Truly “Get Into” Move: From Random Trial-and-Error to Type-Guided Exploration
Belobog’s core idea is straightforward: since Move’s type system forms its foundational constraint, fuzzing should treat types as navigation aids rather than obstacles.
Traditional approaches often rely on random generation and mutation, but in Move, this rapidly produces大量 invalid samples: type mismatches, unreachable resources, inability to correctly construct parameters, and call chains blocked at certain points—ultimately yielding not test coverage, but a pile of “fail at start line” attempts.
Belobog’s approach is more like equipping the fuzzer with a “map.” Starting from Move’s type system, it constructs a type graph based on type semantics for the target contract, then uses this graph to generate or mutate transaction sequences. In other words, instead of blindly stitching together calls, it constructs more reasonable, executable, and deeply exploring call combinations by following type relationships.
For security research, this change brings not “fancier algorithms,” but a simple yet crucial benefit:
Higher proportion of valid samples, higher exploration efficiency, and greater chances of reaching deep paths where real vulnerabilities commonly reside.
Handling Complex Constraints: Belobog Uses Concolic Execution to “Open the Door”
In real Move contracts, critical logic is often surrounded by layers of checks, assertions, and constraints. If you rely solely on traditional mutation, you easily end up repeatedly hitting dead ends: conditions never satisfied, branches never entered, states never reached.
To solve this, Belobog further designs and implements concolic execution (a hybrid of concrete execution and symbolic reasoning). Simply put:
It maintains concrete execution ("can run") while leveraging symbolic reasoning to directionally approach branch conditions, thus more effectively penetrating complex checks and advancing coverage depth.
This is especially important for the Move ecosystem, as the “sense of security” in Move contracts often rests on multiple layers of constraints, while real problems frequently hide in the gaps formed by intersecting constraints. What Belobog aims to do is push testing right up to these gaps.
Aligning with the Real World: Not Just Running Demos, But Approaching Real Attack Paths
We do not want such work to remain limited to “running demos.” Belobog’s evaluation directly targets real projects and actual vulnerability conclusions. According to experimental results in the paper: Belobog was evaluated on 109 real-world Move smart contract projects, and the results show it detected 100% of Critical vulnerabilities and 79% of Major vulnerabilities confirmed by manual security audits.
More notably: without relying on prior knowledge of vulnerabilities, Belobog was able to reproduce full exploits in real on-chain incidents. The value of this capability lies in how closely it mirrors real-world offensive scenarios: attackers succeed not through “single-function bugs,” but through complete paths and state evolution.
What This Work Aims to Express Goes Beyond “Building a Tool”
The reason this paper is worth reading is not merely because it introduces a new framework, but because it represents a more practical direction: abstracting frontline security experience into reusable methodologies and grounding them through reproducible engineering implementations.
We believe Belobog’s significance does not lie in being “another fuzzer,” but in making fuzzing on Move closer to reality—able to get in, go deep, and align better with real attack paths. Belobog is not a closed tool designed for only a few security experts, but a developer-friendly framework: it minimizes entry barriers so developers can continuously integrate security testing into familiar development workflows, rather than treating fuzzing as a one-off, post-development task.
We will also open-source Belobog, hoping it becomes infrastructure that the community can collectively use, extend, and evolve, rather than remaining an experimental project confined to the “tool level.”
Paper (preprint):
https://arxiv.org/abs/2512.02918
(This work is simultaneously under submission to PLDI’26, currently awaiting peer review.)
About MoveBit
MoveBit (MoBi Security), a subsidiary brand under BitsLab, is a blockchain security company dedicated exclusively to the Move ecosystem, pioneering the use of formal verification to make the Move ecosystem the most secure Web3 environment. MoveBit has progressively partnered with numerous renowned global projects, providing comprehensive security audit services. The MoveBit team consists of leading security experts from academia and industry, with 10 years of security experience, having published security research at top-tier international security conferences such as NDSS and CCS. They are also early contributors to the Move ecosystem, collaborating with Move developers to establish standards for secure Move applications.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@0xbitslab
