A Systematic Classification of Vulnerabilities in MoveEVM Smart Contracts (MWC)

TL;DR

This paper presents the MWC system, a comprehensive vulnerability taxonomy for MoveEVM smart contracts, identifying hybrid risks unique to Move integration with EVM and proposing methods for improved security auditing.

Contribution

The paper introduces a novel vulnerability classification system specifically for MoveEVM contracts, addressing hybrid security issues overlooked by existing tools.

Findings

Current verification tools often miss hybrid vulnerabilities.

Analysis of real-world contracts reveals gaps in existing security assessments.

Formal methods and LLM-based agents can enhance smart contract auditing.

Abstract

We introduce the MoveEVM Weakness Classification (MWC) system -- a dedicated vulnerability taxonomy for smart contracts built with Move and executed in EVM-compatible environments. While Move was originally designed to prevent common security flaws via linear resource types and strict ownership, its integration with EVM bytecode introduces novel hybrid vulnerabilities not captured by existing systems like the SWC registry. Our taxonomy spans 37 categorized vulnerability types (MWC-100 to MWC-136) across six semantic frames, addressing issues such as hybrid gas metering, capability misuse, meta-transaction spoofing, and AI-integrated logic. Through analysis of real-world contracts from Aptos and Sui, we demonstrate that current verification tools often miss these hybrid risks. We also explore how formal methods and LLM-based audit agents can operationalize this classification, enabling scalable, logic-aware smart contract auditing. MWC lays the foundation for more secure and verifiable contracts in next-generation blockchain systems. (Shortened Abstract)