Welcome to the Move Vulnerability Database (MVD) v3.0!
A comprehensive collection of vulnerability patterns in the Move ecosystem.
What's Inside
- Vulnerability Patterns - Categorized security issues with examples and severity ratings
- Appendix - Audit reports and protocol references
- Learning Resources - Curated materials for learning Move security
This resource consolidates 1000+ security vulnerabilities extracted from 200+ public Move audit reports across multiple firms and auditors. The database categorizes vulnerabilities into common patterns—from Input Validation and Business Logic flaws to Access Control and State Management issues—providing a central reference for developers, auditors, and security researchers to understand, recognize, and learn from real-world mistakes in Move codebases.
| Vulnerability Patterns | Findings |
|---|---|
| Business Logic | 296 |
| Input Validation | 170 |
| Calculation Errors | 148 |
| Coding Mistake | 76 |
| Access Control | 73 |
| State Management | 64 |
| Code Optimization | 43 |
| Denial of Service | 40 |
| Missing Functions | 37 |
| Data Inconsistency | 31 |
| Oracle Issues | 27 |
| Centralization Risk | 25 |
| Constant Definition | 21 |
| Cross-Implementation | 16 |
| Runtime/Development Issues | 15 |
| Missing Version Check | 12 |
| Gas-related Issues | 11 |
| Looping Issues | 10 |
| Front-running | 7 |
| Collision | 5 |
| Inflation Attacks | 5 |
| Documentation Mismatch | 3 |
| Signature Replay | 3 |
| Third-Party Risk | 2 |
| Race Condition | 1 |
| Total | 1141 |
Data sourced from public Move audit reports by the following auditors/firms:
| Audit Firm/Auditor | Report Links |
|---|---|
| OtterSec | Sampled Public Audit Reports (OtterSec Notion) |
| MoveBit | MoveBit — Sampled Audit Reports |
| MoveJay | MoveJay (Jayfromthe13th) |
| Zellic | Zellic Reports |
| Spearbit | Spearbit Reports |
| Cantina | Cantina Reports |
| Code4Arena | Code4Arena Reports |
| Certora | Certora Security Reports |
| Hacken | Hacken Audits |
| Pashov Audit Group | Pashov Audit Group — Audits |
| ExVul Security | ExVul Audits |
| Quantstamp | Quantstamp Reports |
| SlowMist | SlowMist Reports |
| Three Sigma | Three Sigma Reports |
| Asymptotic | Asymptotic Reports |
| Sherlock | Sherlock Reports |
Refer to the Appendix for the full list of reports and protocols.
⚠️ Disclaimer
All findings and summaries in this database are sourced from publicly available audit reports.
I do not own or claim ownership of any reports, documents, or content referenced here — all rights belong to their respective auditors, firms, and project teams.
This repository is an independent, educational, and non-commercial project created to help the community study and understand common vulnerability patterns in the Move ecosystem.
While I aim for accuracy, there may be typos, errors, broken links, or misattributed information.
If you spot any mistakes or missing details, please open an issue or reach out so I can correct them.
💬 Support & Contributions
If you'd like to learn more about the project or support future development, see the About section.