Move smart contracts face security risks stemming from programming errors and cross-module interactions, while existing analysis tools suffer from limited precision, inadequate coverage, and poor multi-chain adaptability. To address these challenges, this paper introduces MoveScanner—the first dedicated static analysis tool supporting bytecode-level deep inspection. MoveScanner innovatively integrates cross-module call-graph tracing, resource flow tracking, and capability matrix analysis to precisely detect five critical vulnerability classes, including resource leaks and privilege escalation. Experimental evaluation demonstrates a substantially reduced false positive rate and an 88.2% accuracy on benchmark suites. Moreover, MoveScanner uncovers 12 previously undocumented Move-specific vulnerabilities, thereby filling a critical gap in high-precision static analysis tools for the Move ecosystem. The framework provides both theoretically sound and empirically validated foundations for designing robust Move security mechanisms.

As blockchain technology continues to evolve, the security of smart contracts has increasingly drawn attention from both academia and industry. The Move language, with its unique resource model and linear type system, provides a solid foundation for the security of digital assets. However, smart contracts still face new security challenges due to developer programming errors and the potential risks associated with cross-module interactions. This paper systematically analyzes the limitations of existing security tools within the Move ecosystem and reveals their unique vulnerability patterns. To address these issues, it introduces MoveScanner, a static analysis tool based on a control flow graph and data flow analysis architecture. By incorporating cross-module call graph tracking, MoveScanner can effectively identify five key types of security vulnerabilities, including resource leaks, weak permission management, and arithmetic overflows. In terms of design, MoveScanner adheres to a modular principle, supports bytecode-level analysis and multi-chain adaptation, and introduces innovative resource trajectory tracking algorithms and capability matrix analysis methods, thereby significantly reducing the false positive rate. Empirical results show that MoveScanner achieved 88.2% detection accuracy in benchmark testing, filling the gap in security tools in the Move ecosystem. Furthermore, this paper identifies twelve new types of security risks based on the resource-oriented programming paradigm and provides a theoretical foundation and practical experience for the development of smart contract security mechanisms. Future work will focus on combining formal verification and dynamic analysis techniques to build a security protection framework covering the entire contract lifecycle