1. Essential Audit Toolchain

Static Analysis

Tool	Purpose	Key Features
Move Prover	Formal verification	- Mathematical proof of invariants - Detects arithmetic overflows - Ensures access control correctness
Move Analyzer	IDE Integration	- Real-time error detection - Type checking - Cross-module reference validation
Sui CLI Security Checks	Built-in audits	sui move verify sui client verify-source

Example Prover Usage:

spec balance_never_negative {  
    invariant balance >= 0;  
}  

Dynamic Analysis

Tool	Type	Coverage
Sui Test Framework	Unit Tests	- 100% path coverage - Mock objects/clocks
Sui Fuzzer	Property Tests	- Generates edge cases - Finds panics in arithmetic

Fuzz Test Example:

#[test_only]  
fun fuzz_transfer(amount: u64) {  
    let balance = 1000;  
    transfer(&mut balance, amount); // Auto-tests 0, MAX, etc.  
}  

---

2. Sui-Specific Scanners

Object Lifecycle Checkers

• Sui Storage Rebate Analyzer | Detects:
  • Unbounded object growth
  • Missing drop abilities
  • Orphaned UIDs

Access Control Audits

# Find all entry functions without signer checks  
grep -r "public entry" ./sources | grep -v "&signer"  

Shared Object Linters

Custom rules for:

• Missing epoch checks
• Concurrent modification risks
• Stale shared object references

---

3. Manual Review Techniques

Critical Checks

1. Capability Patterns:

   // Verify admin caps are properly guarded  
   assert!(address_of(signer) == admin_cap.admin, EUnauthorized);  
   

2. Dynamic Field Safety:

   // Ensure no unvalidated user input in dynamic fields  
   dynamic_field::add(&mut obj, user_input, value); // RISKY  
   

Gas Hotspots

• Storage Operations:

  // Prefer Table over vector for large collections  
  let bad: vector<u64>; // Expensive deletions  
  let good: Table<ID, u64>; // O(1) ops  
  

Sui Framework Adherence

• Cross-check against:
  • sui::coin
  • sui::clock

---

4. Integrated Audit Workflow

Step 1: Static Scan

sui move build --lint && \  
sui move prove --path ./sources  

Step 2: Dynamic Testing

sui move test --coverage && \  
move-fuzzer ./sources -iterations 1000  

Step 3: Manual Review

1. Check all entry functions:
   • Signer present?
   • Input validation?
2. Audit shared objects:
   • Epoch checks?
   • Locking mechanisms?

---

5. Common Findings by Tool

Tool	Typical Catches
Move Prover	- Integer overflows - Unreachable code
Sui CLI	- Invalid object ownership - Missing abilities
Fuzzer	- Panic on edge values - Gas bombs
Manual	- Business logic flaws - Marketplace compatibility

---

6. Pro Tips

✅ Continuous Auditing

# GitHub Action example  
- uses: MoveAnalyst/move-security-check@v1  
  with:  
    path: ./sources  

✅ Compare Against Known Vulnerabilities

• Sui Audit Reports
• Move Security Hall of Fame

✅ Use Multiple RPCs
Test against:

• Localnet
• Testnet
• Different fullnode providers

---

Static Analysis:

sui move check: Built-in CLI tool for basic type safety, object rules, and capability checks. Use --dev for more detailed diagnostics.

Move Prover: The most powerful tool for formal verification. It mathematically proves critical properties (invariants) you specify in your code. Ideal for core logic and security.

SeaGuard (MystenLabs): An experimental security scanner for Sui-specific patterns. (May require direct access).

Lint Tools (e.g., move-analyzer): IDE-integrated linter for real-time feedback, code formatting, and catching simple errors.

Security-Specific Techniques:

Watch for Sui-specific risks:

Improper Shared Object Use: Incorrect versioning or unauthorized mutations of shared objects.

Capability Leaks: Mismanaging capability tokens, granting unintended access.

Global Object Pollution: Leaving uncleaned state in shared objects.

Unbounded Vector/Table Growth: Data structures that can grow indefinitely, leading to high gas costs or transaction failures.

Hidden Reentrancy: While not direct like EVM, complex logic reuse in PTBs could simulate similar effects.

Manual Review Techniques:

Manual audits are crucial for detecting subtle logic flaws and economic vulnerabilities. Focus on:

Ownership & Capability Flow: Are objects and permissions transferred/revoked correctly and safely?

Permission Guards: Are all critical state changes and transfers protected by proper authorization checks?

State Invariants: Are the fundamental rules of your contract always maintained? (Document and test these).

Storage & Gas Control: Is data storage optimized? Are operations gas-efficient, especially in loops?

Events: Are critical state changes emitting events for off-chain monitoring?

Move Prover: The primary formal verification tool. It mathematically proves your code meets specific security properties and invariants you define (e.g., "total supply never exceeds X"). It's powerful but requires you to write spec (specification) blocks in your code.

Usage: Define spec blocks, then run sui move prove.

Move Analyzer: An IDE tool (like a VS Code extension) that provides real-time error checking, type validation, and basic linting as you code.

Sui Test Framework: For unit and integration testing your Move modules.

Third-Party Audit Firms for Sui Move Contracts

For developers building DeFi apps, blockchain games, or any on-chain project on Sui, these audit firms are actively supporting the ecosystem with security services:

• Asymptotic: Known for building the Sui Prover, a formal verification tool specifically for Sui smart contract validation. They leverage deep technical expertise in proving contract correctness.
• Blaize.Security: Offers comprehensive Sui-focused security services, including manual audits, CI/CD pipeline protection, live monitoring, and incident analysis.
• Certora: Combines traditional manual auditing with formal verification to deliver rigorous, hybrid security assessments, providing strong mathematical guarantees.
• MoveBit: One of the earliest firms to adopt formal verification in Sui audits. They also contribute through developer tools and Capture The Flag (CTF) events.
• OtterSec: Recognized for their thorough manual audits and close collaboration with development teams throughout the auditing process.
• Zellic: Possesses strong expertise in the Move language and actively works with multiple projects within the Sui ecosystem, known for their vulnerability research.

Enhancing Transparency with Move Registry (MVR)

Beyond third-party audits, Sui developers can leverage the Move Registry (MVR). This is an on-chain package management system that allows teams to directly attach crucial information like:

• Source code
• Documentation
• Audit results

By linking this verified information directly to their deployed smart contracts on-chain, MVR significantly enhances transparency and trust within the Sui ecosystem.

For safer I still prefer not just only use tool but have audit from 3rd party.

Whether you're developing a DeFi app, blockchain game, or any onchain project on Sui, a number of audit firms are already actively supporting the ecosystem, offering security services across various stages of development:

• Asymptotic – Built the Sui Prover, a formal verification tool specifically crafted for Sui smart contract validation.
• Blaize.Security – Provides comprehensive Sui-focused security services, including manual audits, CI/CD pipeline protection, live monitoring, and incident analysis.
• Certora – Combines traditional manual auditing with formal verification to produce rigorous hybrid security assessments.
• MoveBit – One of the earliest firms to adopt formal verification in Sui audits, while also contributing through developer tools and CTF events.
• OtterSec – Known for thorough manual audits and close collaboration with teams throughout the auditing lifecycle.
• Zellic – Offers strong expertise in the Move language and actively works with multiple projects within the Sui ecosystem.

Beside that Sui developers can leverage the Move Registry (MVR) — an onchain package management system that lets teams attach key information like source code, documentation, and audit results directly to their deployed smart contracts.

Auditing Sui Move smart contracts requires a blend of automated tools and manual techniques, especially because Sui introduces unique concepts like object ownership, shared objects, capabilities, and dynamic fields not present in standard Move (e.g., Aptos Move). Below is a curated toolkit and strategy guide tailored for security, correctness, and gas efficiency in the Sui Move ecosystem.

---

✅ 1. Top Tools for Auditing Sui Move Code

🔍 Static Analysis Tools

Tool Description Notes

sui move check Native CLI static analysis for type safety, object rules, capability checks Use with --dev to get more verbose diagnostics Move Prover Formal verification tool for proving correctness of invariants Requires annotations and works best for logic-heavy modules SeaGuard (MystenLabs) Experimental security scanner for Sui-specific patterns (ownership, capabilities) Internal tool, ask for access or check GitHub Slither-Move (community) Slither-like static analyzer ported for Move, checks for anti-patterns Limited Sui-specific support Lint Tools (e.g. move-analyzer) IDE-integrated code linter for formatting, duplication, unused vars Lightweight but helpful for early-stage cleanup

---

🧪 Dynamic Testing Tools

Tool Purpose Highlights

sui move test Unit + integration testing framework Can simulate real transaction execution sui client dry-run Emulates transaction behavior without committing Mirrors real gas usage and error messages sui move coverage Measures how much of your code is tested Helps identify untested logic branches Custom Gas Metering Use gas::track_gas() to test bottlenecks in logic flows Build internal metering tools for high-frequency ops

---

🔐 2. Security-Specific Techniques

✅ Sui-Specific Risk Patterns to Watch For:

Pattern Description

Improper Shared Object Use Forgetting versioning or invalid mutation patterns Capability Leaks Dropping capabilities or unintentionally passing them Global Object Pollution Leaving state in shared objects without cleanup Unbounded Vector Growth Forgetting storage limits or garbage collection Hidden Reentrancy Not directly applicable in Sui, but logic reuse across calls can simulate it

---

📜 3. Manual Review Techniques

Manual audits remain vital because many Move bugs are semantic, not just syntactic.

🔍 Audit Checklist

Category What to Look For

Ownership Flow Are object transfers clearly scoped? Are access patterns safe? Capability Flow Are capabilities scoped correctly? Revoked when no longer needed? Permission Guards Are any writes or transfers gated by owner/auth checks? Events & Observability Are all critical state changes emitting events? State Invariants Are they clearly documented/tested (use assertions/testcases)? Storage Bloat Is vector/map growth bounded? Are delete flows implemented? Gas Control Are loops minimized? Heavy paths simulated using dry-run?

---

🧠 4. How to Test Complex Invariants

For formally testing invariants:

📌 Use Move Prover

/// Prove that the loan amount must be repaid in full spec module::repay_loan { ensures loan.amount == 0; }

Install move-prover:

cargo install --git https://github.com/move-language/move move-prover move prove

Focus on balance preservation, authority enforcement, and state validity.

---

🛠️ 5. Toolchain Integration Strategy

Stage Tools

Dev Loop sui move check, sui move test, sui client dry-run, coverage Pre-Audit Custom unit test coverage + formal specs (move-prover) Audit Prep Static scan (SeaGuard/slither-move), ownership/capability flow reviews Post-Audit Regression test suite, benchmarking gas usage, upgrade simulations

---

🚨 Bonus: Common Mistakes to Avoid

Mistake Fix

Missing ownership checks Use tx_context::sender() to compare with stored owner Not revoking capabilities Explicitly delete or transfer to burn address if unused Relying on external checks only Enforce checks inside Move logic, not just frontend/JS SDK Ignoring gas benchmarking Use dry-run + sui move test to validate hot paths Forgetting dynamic field cleanup Clean Table/DynamicField entries on object deletion

---

📘 Resources

Sui Move Book

Move Prover Book

Sui Github - Examples & Framework

SeaGuard – Contact Mysten for early access

---

Would you like a downloadable audit checklist or a reusable Move Prover spec template for your modules?

Move has built-in static analysis capabilities that are part of the core language tools.

Move Prover (Built-in to Move Compiler):

What it is: The crown jewel of Move's security features. It's a formal verification tool that ships with the Move compiler. You can write formal specifications (called "spec functions" and "properties") directly within your Move code using the spec block. The Prover then mathematically proves whether your code adheres to these specifications.

Strengths:

Formal Verification: Provides mathematical guarantees about correctness and security properties (e.g., "this resource can only be transferred to its owner," "total supply never exceeds max supply").

Detects Invariants: Excellent for proving complex invariants, resource safety, and absence of common bugs like integer overflows/underflows (though Move's type system helps mitigate some of these already).

Resource Safety: Directly understands Move's resource concept, ensuring resources are never duplicated, lost, or created illicitly.

Usage:

You write spec blocks in your Move modules.

You run sui move prove (or move prove if using a standalone Move installation) from your package root.

Limitations:

Requires Specifications: You must explicitly write the properties you want to prove. This is an art and a science, and it can be time-consuming.

Complexity: Proving complex properties can sometimes be challenging for the prover, requiring careful specification writing.

Not a Magic Bullet: It proves what you specify. If you miss a critical property, the prover won't find issues related to it.

Best for: Core invariants, resource integrity, access control, and critical security properties.

Move Analyzer (Language Server / IDE Integration):

What it is: This is the language server that powers IDEs (like VS Code with the Move Analyzer extension). It provides real-time feedback, type checking, linting, and basic semantic analysis as you write code.

Strengths:

Real-time Feedback: Catches syntax errors, type mismatches, and basic semantic issues instantly.

Code Navigation: Helps understand code structure and dependencies.

Early Detection: Catches many common mistakes before compilation.

Usage: Install the Move Analyzer extension in VS Code.

Best for: Day-to-day development, ensuring basic correctness and catching common coding errors.