Code Audits
Move Smart Contract Audit
Security-first engineering for Move-based smart contracts. We review Aptos and Sui code for critical logic errors, resource misuse, and capability design flaws across MoveVM ecosystems. Our Move smart contract audit helps you launch safely and credibly.
100+
audits
completed
$8.2B
in client assets protected
$183.2B
in transacted value secured
300+
crit / high issues found
Consolidated clients






A smart contract audit firm with
3+ years of expertise
Our team combines deep manual review, targeted tooling, threat modeling, and Move-specific checks. We bring that rigor to Aptos and Sui so findings map to real risk and fixes are fast to merge. If you need broader coverage, see our Opsec and dApp Audit services.
What is a Move Audit?
A Move smart contract audit is a comprehensive review of modules and packages written in Aptos Move or Sui Move. We validate business logic, invariants, and security assumptions under adversarial conditions. A move asset security audit focuses on capability flows and entry-function guardrails, resource and object safety, signer authority, module visibility, Sui object ownership and access control, and the correctness of publish and upgrade policies. Building on a different chain? Explore our Solidity and Rust smart contract audit services.
Why Move Blockchain Security Audits Matter?
Move’s resource-oriented model removes entire bug classes, but teams still ship issues like weak signer checks, capability leakage, broken invariants, unsafe upgrades, and brittle integrations. Across the industry, on-chain exploits have cost users billions, much of it preventable with rigorous review. A Move smart contract audit preserves the properties your protocol depends on and reduces risk before it goes live on mainnet.
Common Vulnerabilities in Move Smart Contract Audits
Capability leakage / unintended privilege transfer
Privileged actions are guarded by capability resources; leaking or exposing them (e.g., via storage/returns) grants unauthorized callers admin-level operations they shouldn’t reach.
Over-broad friend / package visibility
Functions marked public(friend) or package-scoped become callable by more modules than intended, turning internal flows into externally triggerable privileged actions.
Ability misannotation (copy, drop, store, key)
Assigning abilities that a type shouldn’t have enables duplication, silent disposal, or unexpected global storage/keys for values meant to be linear or ephemeral.
Resource invariants violated (Aptos)
Linear resources are supposed to exist once; mint/burn/transfer paths or destructors that bypass checks create impossible states and break scarcity/accounting guarantees.
Sui object ownership & shared-object hazards
Misclassifying owned vs. shared vs. immutable objects, or promoting to shared unintentionally, exposes mutation to unexpected parties and introduces concurrency/interleaving surprises.
Package publish/upgrade policy pitfalls
Leaving packages upgradeable or mismanaging Sui’s UpgradeCap and UpgradeTicket lets later upgrades change behavior or invalidate assumptions your protocol depends on.
Entry-function overexposure
Exposing sensitive flows as entry fun or making them reachable via public(friend)/public(package) lets users invoke transitions directly that the design expected to be module-mediated.
Even with abilities and scoped visibility, Move code in production often shows patterns that lead to exploits. These items explain what each risk is and how it usually happens.
Our Move Smart Contract Audit Process
Scoping and Planning
Map Move packages, modules, dependencies, friend relationships, publish and upgrade policies, critical flows, and objectives across Aptos and Sui to frame an accurate Move audit scope.
Architecture Review
Evaluate invariants, threat surfaces, capability issuance and consumption, signer authority, and resource or Sui object lifecycles to align security assumptions with your protocol design.
Manual Code Review
We read your code line by line, analyze abilities and events, and trace cross-module interactions and visibility to uncover unsafe patterns specific to Move.
Testing and Proving
Run static checks, add property-based tests, craft targeted proofs of concept, and apply the Move Prover where specifications fit to validate critical properties on Aptos and Sui.
Reporting & Remediation
Deliver severity and impact, clear reproduction steps, and smallest safe fixes with rationale, written for developers and stakeholders who need decision-ready output.
Verification (Retest)
Review pull requests, rerun tests and proofs, and issue a final, shareable status so your project is ready for listings and partner reviews.
Hear from our Clients
Deliverables You Can Expect
Check out our previous Case Studies and their reports, outlining all identified vulnerabilities, their severity, and actionable remediation steps.
Post-audit support is included
to help your team implement fixes and validate their effectiveness.
Our move smart contract audit deliverables aren’t just a checkmark on your roadmap, they provide technical clarity, actionable security improvements, and documentation you can present to investors, partners, or compliance teams.This ensures your contracts are secure, reliable, and ready for mainnet deployment and your project is set for success.

What You Gain
from a Three Sigma Audit
Our move smart contract audit is more than a checkmark, it’s an investment in your project’s success.
Prevent costly exploits before they impact your users.
Increase trust with investors, partners, and the Web3 community.
Accelerate compliance with evolving blockchain security standards.
Protect brand reputation in an industry where trust is currency.
Industries We Secure
Our audits have helped secure decentralized applications across multiple verticals.
DeFi &
Liquidity
Lending platforms, DEXes, staking, and collateral markets.
NFT &
Collectibles
Marketplaces, launchpads, minting tools, and creator hubs.
Gaming &
Metaverse
Play-to-earn games, trading hubs, and immersive 3D worlds.
Cross-Chain Infrastructure
Bridges, oracle networks, and cross-chain protocol layers.
Frequently Asked Questions
Check out the Move Audit F.A.Q.
What is different about auditing Move versus EVM?
Resource semantics, abilities, and capability flows introduce new guarantees and new failure modes. We focus on signer checks, capability scoping and revocation, Sui object ownership, and safe publish/upgrade policies alongside financial and integration logic.
Do you use the Move Prover?
Yes. Where properties can be expressed, we add or extend specifications and use the Prover to validate critical invariants, combined with manual review and property-based tests.
Which networks do you support?
Aptos and Sui on testnet and mainnet. For mixed stacks, see Solidity Audits and Rust & Solana Audits.
What do you need to start a move smart contract audit?
A commit or release, passing builds/tests, architecture documentation, deployment plans, invariants to preserve, and any prior audits or specs.