MoveBit Unveils Belobog Framework to Enhance Smart Contract Security

On December 17, 2025, MoveBit, the audit and security research brand of BitsLab, released a significant research paper titled “Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts.” This paper, available on arXiv, addresses critical vulnerabilities in smart contracts that often stem from complex interactions rather than straightforward coding errors.

MoveBit’s extensive auditing has revealed that many vulnerabilities do not arise from obvious issues like syntax errors or type mismatches. Instead, they result from the intricate nature of real-world systems, including cross-module interactions and hidden assumptions. This complexity has led to high-impact incidents, underscoring the necessity for advanced security research in the blockchain domain.

Addressing the Fuzzing Gap

A notable gap identified by MoveBit is the lack of effective fuzzing solutions tailored specifically for the Move programming language. Traditional fuzzing techniques, which often rely on random trials, fail to generate valid transaction sequences that are both type-correct and semantically reachable. As a result, many potential vulnerabilities remain unexplored.

To tackle this issue, MoveBit collaborated with a university research team to develop Belobog. This framework is designed to leverage Move’s strict type system, transforming it from a barrier into a guide for fuzzing. By constructing a type graph based on Move’s type semantics, Belobog generates executable call sequences that explore deeper levels of a contract’s state space, increasing the chances of identifying actual vulnerabilities.

Innovative Techniques for Greater Coverage

Real smart contracts often incorporate multiple layers of checks and constraints, making conventional mutation-only fuzzing ineffective. Belobog employs concolic execution, which combines concrete execution with symbolic guidance, to navigate through these constraints and reach deeper states. This approach significantly enhances coverage and reveals vulnerabilities that might otherwise remain hidden.

MoveBit emphasizes the practical implications of this method, noting that Belobog’s design aims to reflect real-world conditions. Unlike many fuzzing tools that focus on limited demonstration scenarios, Belobog has been evaluated against 109 actual Move innovative contract projects, achieving a perfect detection rate of critical vulnerabilities and identifying 79% of major vulnerabilities, as confirmed by security experts.

Another noteworthy feature of Belobog is its ability to reproduce complete exploits from actual on-chain incidents. This capability is crucial, as real-world attackers often exploit vulnerabilities through complex paths rather than isolated bugs.

MoveBit positions Belobog not merely as another tool in the security arsenal, but as a comprehensive framework that translates real-world experiences into reusable and verifiable methods. The team aims to make Belobog user-friendly, facilitating continuous integration of security testing within developers’ existing workflows, rather than relying on one-off fuzzing efforts.

Furthermore, MoveBit plans to open-source Belobog, promoting it as a shared community resource. This initiative reflects the company’s commitment to enhancing security within the Move ecosystem and providing developers with the tools necessary to protect their smart contracts effectively.

The research paper is currently submitted to PLDI’26 and is awaiting peer review. Updates regarding the submission outcome will be shared following the review process.

About MoveBit: MoveBit is a subsidiary of BitsLab focused on blockchain security within the Move ecosystem. As an early adopter of formal verification, the team combines academic and industry expertise, contributing to significant research published at top conferences and providing comprehensive security audits for leading global projects.