Move’s resource-oriented paradigm enforces strong safety guarantees, but improper module design or resource access can still introduce critical vulnerabilities. Audit Labs examines how your contracts define and manage custom resources, ensuring they’re used securely, cannot be accidentally duplicated or dropped, and follow proper lifecycle patterns. We identify violations of access control within modules and confirm that resource movement adheres strictly to the intended business logic.

Capabilities in Move provide fine-grained control over operations like minting, burning, or transferring assets. Mismanagement of capabilities—especially delegation or leakage—can lead to privilege escalation or unauthorized actions. We audit capability granting and scoping mechanisms, ensuring they’re not exposed to untrusted modules or improperly stored in global state, which could allow malicious re-use or takeover.

While the Move VM includes strong bytecode verification, incorrect assumptions at the source level can still result in dangerous behavior. Audit Labs performs low-level inspections to ensure bytecode matches high-level intent, avoiding abstraction leaks where trusted invariants (e.g., "this function always burns a token") silently fail. We validate function visibility, invariant preservation, and encapsulation at the bytecode level.

Global storage access in Move must be explicit, but improper reads/writes or scattered resource dependencies can cause orphaned resources, storage bloat, or leaks. We evaluate how your contracts access and mutate global state, verifying that storage is deterministic, predictable, and doesn’t allow rogue resource insertion or accumulation outside expected logic flows.