three sigma logo
Services
Move Smart Contract Audit

Code Audits

Move Smart Contract Audit

Security-first engineering for Move-based smart contracts. We review Aptos and Sui code for critical logic errors, resource misuse, and capability design flaws across MoveVM ecosystems. Our Move smart contract audit helps you launch safely and credibly.

hero's image

100+

audits
completed

$8.2B

in client assets protected

$183.2B

in transacted value secured

300+

crit / high issues found

Consolidated clients

Propeller HeadsMaple FinanceM0LabsOstiumVertexMagma FinanceSingularityHyperwaveInsrt FinanceLayer3megaethOrange CryptoLiquitythunderheadFelixKeyring NetworkMore Markets
Propeller HeadsMaple FinanceM0LabsOstiumVertexMagma FinanceSingularityHyperwaveInsrt FinanceLayer3megaethOrange CryptoLiquitythunderheadFelixKeyring NetworkMore Markets

A smart contract audit firm with

3+ years of expertise

Our team combines deep manual review, targeted tooling, threat modeling, and Move-specific checks. We bring that rigor to Aptos and Sui so findings map to real risk and fixes are fast to merge. If you need broader coverage, see our Opsec and dApp Audit services.

What is a Move Audit?

A Move smart contract audit is a comprehensive review of modules and packages written in Aptos Move or Sui Move. We validate business logic, invariants, and security assumptions under adversarial conditions. A move asset security audit focuses on capability flows and entry-function guardrails, resource and object safety, signer authority, module visibility, Sui object ownership and access control, and the correctness of publish and upgrade policies. Building on a different chain? Explore our Solidity and Rust smart contract audit services.

what is section's image
why it matter image

Why Move Blockchain Security Audits Matter?

Move’s resource-oriented model removes entire bug classes, but teams still ship issues like weak signer checks, capability leakage, broken invariants, unsafe upgrades, and brittle integrations. Across the industry, on-chain exploits have cost users billions, much of it preventable with rigorous review. A Move smart contract audit preserves the properties your protocol depends on and reduces risk before it goes live on mainnet.

Common Vulnerabilities in Move Smart Contract Audits

Capability leakage / unintended privilege transfer

Privileged actions are guarded by capability resources; leaking or exposing them (e.g., via storage/returns) grants unauthorized callers admin-level operations they shouldn’t reach.

Over-broad friend / package visibility

Functions marked public(friend) or package-scoped become callable by more modules than intended, turning internal flows into externally triggerable privileged actions.

Ability misannotation (copy, drop, store, key)

Assigning abilities that a type shouldn’t have enables duplication, silent disposal, or unexpected global storage/keys for values meant to be linear or ephemeral.

Resource invariants violated (Aptos)

Linear resources are supposed to exist once; mint/burn/transfer paths or destructors that bypass checks create impossible states and break scarcity/accounting guarantees.

Sui object ownership & shared-object hazards

Misclassifying owned vs. shared vs. immutable objects, or promoting to shared unintentionally, exposes mutation to unexpected parties and introduces concurrency/interleaving surprises.

Package publish/upgrade policy pitfalls

Leaving packages upgradeable or mismanaging Sui’s UpgradeCap and UpgradeTicket lets later upgrades change behavior or invalidate assumptions your protocol depends on.

Entry-function overexposure

Exposing sensitive flows as entry fun or making them reachable via public(friend)/public(package) lets users invoke transitions directly that the design expected to be module-mediated.

Even with abilities and scoped visibility, Move code in production often shows patterns that lead to exploits. These items explain what each risk is and how it usually happens.

cyberpunk bug

Our Move Smart Contract Audit Process

Scoping and Planning

Map Move packages, modules, dependencies, friend relationships, publish and upgrade policies, critical flows, and objectives across Aptos and Sui to frame an accurate Move audit scope.

Architecture Review

Evaluate invariants, threat surfaces, capability issuance and consumption, signer authority, and resource or Sui object lifecycles to align security assumptions with your protocol design.

Manual Code Review

We read your code line by line, analyze abilities and events, and trace cross-module interactions and visibility to uncover unsafe patterns specific to Move.

Testing and Proving

Run static checks, add property-based tests, craft targeted proofs of concept, and apply the Move Prover where specifications fit to validate critical properties on Aptos and Sui.

Reporting & Remediation

Deliver severity and impact, clear reproduction steps, and smallest safe fixes with rationale, written for developers and stakeholders who need decision-ready output.

Verification (Retest)

Review pull requests, rerun tests and proofs, and issue a final, shareable status so your project is ready for listings and partner reviews.

Hear from our Clients

    Deliverables You Can Expect

    Check out our previous Case Studies and their reports, outlining all identified vulnerabilities, their severity, and actionable remediation steps.

    Post-audit support is included

    to help your team implement fixes and validate their effectiveness.

    Our move smart contract audit deliverables aren’t just a checkmark on your roadmap, they provide technical clarity, actionable security improvements, and documentation you can present to investors, partners, or compliance teams.This ensures your contracts are secure, reliable, and ready for mainnet deployment and your project is set for success.

    3 folders with reports from threesigma
    code audit image

    What You Gain
    from a Three Sigma Audit

    Our move smart contract audit is more than a checkmark, it’s an investment in your project’s success.

    Prevent costly exploits before they impact your users.

    Increase trust with investors, partners, and the Web3 community.

    Accelerate compliance with evolving blockchain security standards.

    Protect brand reputation in an industry where trust is currency.

    Industries We Secure

    Our audits have helped secure decentralized applications across multiple verticals.

    DeFi & Liquidity

    Lending platforms, DEXes, staking, and collateral markets.

    NFT & Collectibles

    Marketplaces, launchpads, minting tools, and creator hubs.

    Gaming & Metaverse

    Play-to-earn games, trading hubs, and immersive 3D worlds.

    Cross-Chain Infrastructure

    Bridges, oracle networks, and cross-chain protocol layers.

    Frequently Asked Questions

    Check out the Move Audit F.A.Q.

    What is different about auditing Move versus EVM?

    Resource semantics, abilities, and capability flows introduce new guarantees and new failure modes. We focus on signer checks, capability scoping and revocation, Sui object ownership, and safe publish/upgrade policies alongside financial and integration logic.

    Do you use the Move Prover?

    Yes. Where properties can be expressed, we add or extend specifications and use the Prover to validate critical invariants, combined with manual review and property-based tests.

    Which networks do you support?

    Aptos and Sui on testnet and mainnet. For mixed stacks, see Solidity Audits and Rust & Solana Audits.

    What do you need to start a move smart contract audit?

    A commit or release, passing builds/tests, architecture documentation, deployment plans, invariants to preserve, and any prior audits or specs.

    Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

    Follow us on