Movement Labs is building a Move-based blockchain network to provide interoperability between the Move execution environment and other networks.

Movement Labs Academy

An overview of the Move programming language used within the Movement Network.

Introduction to Move

In-depth technical information about the Movement Network's infrastructure.

Network Architecture

Exploration of frameworks that support development within the Movement ecosystem.

Movement Frameworks

Overview of the Movement Network's system design and components.

High-level Architecture

Specifics on the architecture at the node level within the Movement Network.

Node-level Architecture

Explore how Fast Finality Settlement (FFS) enhances blockchain performance by enabling rapid transaction finality without sacrificing security.

Fast Finality Settlement (FFS)

Movement Network

Overview of the Move programming language, its purpose, and target audience.

Introduction

Explanation of Move's two primary program types: modules and scripts, and their interactions.

Modules and Scripts

A step-by-step guide to getting started with Move, including practical examples.

Move Tutorial

Detailed information on integer types and operations in Move.

Integers

Understanding boolean types and their usage in Move.

Bool

Insights into the address type and its significance in Move.

Address

Exploration of the vector collection type and its functionalities.

Vector

Details on the signer type and its role in Move transactions.

Signer

Explanation of reference types and their usage in Move.

References

Overview of tuples and the unit type in Move.

Tuples and Unit

Understanding variable declarations, scopes, and lifetimes in Move.

Local Variables and Scopes

Discussion on equality operations and considerations in Move.

Equality

Guide to using abort and assert statements for error handling.

Abort and Assert

Explanation of conditional statements and their syntax.

Conditionals

Details on loop constructs and their usage in Move.

While and Loop

Comprehensive guide to function declarations, visibility, and usage.

Functions

Understanding struct definitions and the concept of resources in Move.

Structs and Resources

Guide to declaring and using constants in Move.

Constants

Explanation of generic types and their applications.

Generics

Insights into type abilities and their significance in Move's type system.

Type Abilities

Guide to the use syntax for creating aliases to module members.

Uses and Aliases

Explanation of the friend feature for module access control.

Friends

Overview of Move packages, their structure, and manifest syntax.

Packages

Guide to writing and running unit tests in Move.

Unit Tests

Understanding the structure of global storage in Move.

Global Storage Structure

Explanation of operators for interacting with global storage.

Global Storage Operators

Exploration of Move's standard library modules and their functionalities.

Standard Library

Recommended coding conventions and best practices for Move development.

Coding Conventions

Dive into the foundational security challenges of the Move programming language.

Security pitfalls of the Move language: Part 1

Building on the first installment, Part 2 of this series takes a deeper look into advanced security concerns in the Move language.

Security pitfalls of the Move language: Part 2

This practical guide highlights the top 10 most frequent bugs found in Move smart contracts.

Top 10 Most Common Move Contract Bugs

Move Language

Information on obtaining testnet tokens for development purposes.

Faucets

Explorers

Information on available network endpoints for connecting and interacting with the Movement Network.

Network Endpoints

GraphQL API that you can use to retrive data

Indexers

Investigating On-Chain Data

Step-by-step guide to writing and deploying your first Move contract on the Movement Network.

Your First Move Contract

Instructions on installing and using the Movement Command Line Interface for development tasks.

Movement CLI

How to build an end-to-end "onchain bio" dApp.

Aptos Move dApp

Deploy Move module to the Movement Network

Deploy to Movement Network

Guide to interacting with your deployed Move contracts on the blockchain.

Interact Onchain

How to use real-time data from Pyth Network in modules on the Movement Porto testnet.

Oracles

Run a Follower Node

Sync an existing Bardock follower node for the Bradock Testnet network.

Sync a Follower Node

Running Proof of Concept (PoC)

Take a look into known Issues and workarounds for the Movement ecosystem.

Audits & Known Issues

Movement Audits & Known Issues

Frequently asked questions about working with Movement as a developer.

Explore how the Move programming language enhances blockchain development with its resource-oriented approach, security features, and formal verification.

Why Move?

The Movement white paper which outlines the vision, principles, and technical foundation of Movement.

Whitepaper

Access the complete repository of Movement Improvement Proposals (MIPs) to review and understand all network upgrades and features.

Movement Improvement Proposals (MIPs)

Technical FAQ

Attackathons are education-based bug hunting competitions where security researchers compete over a reward pool by submitting impactful bugs in the project's code. Here's how they work:

**Before the Attackathon**<br/> Immunefi works with the project to host a security-focused education period, providing top tier education and support to security researchers.

**During the Attackathon**<br/> Security researchers experience optimal hunting conditions, with direct project support, responsiveness, and duplicate rewards.

**After the Attackathon**<br/> Immunefi spotlights the security accomplishments with a custom leaderboard, Attackathon Summary Report, Bugfix Reviews, and Individual Achievement Cards.

Ultimately, Attackathons serve to secure projects, develop their security ecosystem, and create new opportunities for security researchers.

What's an Attackathon?

docker-compose.local-development.indexer.yml [70]

docker-compose.ledger-should-progress.yml [53]

**Are there any unusual points about your protocol that may confuse Security Researchers?**

The nodes are not currently rolling back on settlement failures: https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md. Settlement logic is out of scope.

**Where might Security Researchers confuse out-of-scope code to be in-scope?**

- The entire layerzero-devtools repo is not generally in scope. Only the files we modified for our bridge are in scope.
- The indexer / graphql are not in scope.
- Other than the indexer, native_bridge.move, and atomic_bridge.move, the entire aptos-core repo is in scope. However, only certain parts of the movement repo are in scope.
- The nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic and MCR is out of scope.

**Is this an upgrade of an existing system? If so, which? And what are the main differences?**

The Move Language is forked from Aptos-Core, with additional modifications. Any bugs found outside of changes made by Movement Labs in Aptos-Core should be reported to Aptos Labs. Please view the following diff to view the scope of the Attackathon [https://github.com/aptos-labs/aptos-core/compare/main...movementlabsxyz:aptos-core:movement](https://github.com/aptos-labs/aptos-core/compare/main...movementlabsxyz:aptos-core:movement).

**Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?**

We don’t suspect a particular area more strongly than others; all in-scope assets are subject to investigation.

**What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?**

Movement has the ability to rollback chain state. Any impacts which do not cause significant damage and can be mitigated by a rollback may be downgraded. Snapshots of state are taken periodically.

**Which chains and/or networks is and will the code in scope be deployed to?**

The Movement Network.

**What external dependencies are there?**

- Crates in Cargo.toml
- Base images in the in scope Docker Compose files

**Are there any unusual points about your protocol that may confuse Security Researchers?**

The nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic and MCR is out of scope.

**What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)**

[https://docs.movementnetwork.xyz](https://docs.movementnetwork.xyz)

**Out-of-scope clauses**

The nodes are not currently rolling back on settlement failures: [https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md](https://github.com/movementlabsxyz/movement/blob/main/protocol-units/settlement/mcr/README.md). Settlement logic is out of scope.

Additionally, the native_bridge.move and atomic_bridge.move files within the aptos-core repository are not in scope as they are not used in production. Please see MOVEOFTAdapter.sol in the layerzero_devtools repository for bridging logic.

Indexer / graphql and MCR / settlement are all considered to be out-of-scope.

The following is always considered out of scope as a security researcher needs to find an applicable in scope impact, which would not be possible if it was the following:
- test and dev logic not directly related to our deployments
- code that is not used

usmannk

perseverance

Capybara

KlosMitSoss

jovi

okmxuse

dustincha

hulkvision

Blockian

br0nz3p1ck4x3

HollaDieWaldfee

savi0ur

niroh

yemresaritoprak

a090325

zhaojie

Rhaydden

ZeroTrust

keizo

fnmain

Berserk

Cartel

Nirix0x

avoloder

Minato7namikazi

p_laksmana

XDZIBECX

Franfran

p4rsely

Cryptor

p4y4b13

https://drive.google.com/file/d/1IAto_Q53lXfv4AeqF1MyQtUFP6oT6jcz/view?usp=drive_link

Movement Labs is a core contributor to Movement Network, a Move-based blockchain network that settles to Ethereum and creates safer execution environments by way of move. 

Contract fails to deliver promised returns, but doesn't lose value

Direct loss of funds

Permanent freezing of funds (fix requires hardfork)

Unintended permanent chain split requiring hard fork (network partition requiring hard fork)

Unintended chain split (network partition)

Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments

Causing network processing nodes to process transactions from the mempool beyond set parameters

RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer

Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours

Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network

A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk

Modification of transaction fees outside of design parameters

Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Network not being able to confirm new transactions (total network shutdown)

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Theft of gas

Unbounded gas consumption

Temporary freezing of funds for at least 24 hour

**No Runnable PoC Code Required**

For this program, runnable PoC code is not required. Whitehats are instead required to write a step-by-step explanation of the PoC and impact. For more information, please read [Audit Competition Proof-of-Concept Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33260632501777-Audit-Competition-Proof-of-Concept-Rules). 

**Asset Accuracy Assurance**

Bugs found on assets incorrectly listed in-scope are valid.

**Previous Audits**

Movement Labs’s completed audit reports can be found here:
- [https://1247499478-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBMbDkZsgQosju3BU30VN%2Fuploads%2FIw6F6sO75Gl3oOa9D6kD%2Fmeridian_audit_final.pdf?alt=media&token=f5ab2581-9407-4b2b-93d2-e7c61760cdbd](https://1247499478-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBMbDkZsgQosju3BU30VN%2Fuploads%2FIw6F6sO75Gl3oOa9D6kD%2Fmeridian_audit_final.pdf?alt=media&token=f5ab2581-9407-4b2b-93d2-e7c61760cdbd)
- [https://docs.canopyhub.xyz/audits/audit-reports](https://docs.canopyhub.xyz/audits/audit-reports)
- [https://drive.google.com/file/d/1nTg57yVLay1TrBbB3HnEoQ_ElQ0_rScL/view?usp=sharing](https://drive.google.com/file/d/1nTg57yVLay1TrBbB3HnEoQ_ElQ0_rScL/view?usp=sharing)
- [https://docs.echelon.market/echelon-v1/security/audit-reports](https://docs.echelon.market/echelon-v1/security/audit-reports)
- [https://github.com/movementlabsxyz/layerzero-devtools/issues](https://github.com/movementlabsxyz/layerzero-devtools/issues)
- [https://github.com/movementlabsxyz/aptos-core/issues](https://github.com/movementlabsxyz/aptos-core/issues)
- [https://github.com/movementlabsxyz/movement/issues](https://github.com/movementlabsxyz/movement/issues)
- [https://github.com/aptos-labs/aptos-core/issues](https://github.com/aptos-labs/aptos-core/issues)

Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

**Public Disclosure of Known Issues**

Bug reports for publicly disclosed bugs are not eligible for a reward. 
- [https://github.com/movementlabsxyz/aptos-core/pull/115](https://github.com/movementlabsxyz/aptos-core/pull/115)
- https://github.com/movementlabsxyz/movement/issues/1113 

**Private Known Issues Reward Policy**

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

**Mainnet AC (Audit Competition) Bug Fix Policy**

The project may make bug fixes during the competition.
- Fixed bugs immediately become out of scope once the fix is public.
- Duplicate submissions of a bug are only valid if they’re submitted before the fix is public.	

All project made bug fixes immediately become in scope for the mitigation competition once the fix is public, including fixes to bugs found independently of SRs.

Read our full [mainnet AC rules](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules) for more info.

**KYC Requirement**

Movement Labs requires KYC information to pay for bug submissions. The following information will be required:
- Full name
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

**Eligibility Criteria**

Security researchers who wish to participate must adhere to the rules of engagement set forth in this program and cannot be:
- On OFACs SDN list 
- Official contributor, both past or present
- Employees and/or individuals closely associated with the project 
- Security auditors that directly or indirectly participated in an audit review of the code in scope (Such auditors may still participate in this program only if they receive project permission)

Rewards are distributed among SRs according to [Immunefi’s Standardized Competition Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/31657285001873-Standardized-Competition-Reward-Terms).

Rewards are denominated in USD and distributed in USDC on Ethereum and Move: $400k USDC and $100k worth of MOVE tokens.

The reward pool is **$400,000 USD** if any bug is found.

If not a single bug is found (Insights do not count as bugs) the reward pool is **$50,000 USD**.

__Mitigation Competition Rewards__

The maximum reward pool for the mitigation competition is **$100,000 USD**.

If any bug in scope is fixed during the mainnet AC then a mitigation competition will begin immediately, run simultaneously, and end 5 days after the mainnet AC has ended.

The mitigation competition’s reward pool is based on how many bugs are fixed while the competitions are live relative to how many bugs are found in the mainnet AC. So if projects make more bug fixes mid-competition then the size of the mitigation competition reward pool increases up to the maximum.

The full mitigation competition reward terms can be [read here](https://immunefisupport.zendesk.com/hc/en-us/articles/33256328266769-Mainnet-Audit-Competition-Rules).

NAME	EARNINGS	TOTAL VALID BUGS	CRITICAL	HIGH	MEDIUM/LOW	INSIGHTS
1	$95,112	8	7	1	0	0
2	$37,972	7	4	2	1	0
3	$33,781	7	1	6	0	0
4	$30,241	7	2	4	1	4
5	$24,819	4	2	1	1	4
6	$23,002	5	2	2	1	4
7	$20,715	2	1	1	0	0
8	$18,529	2	2	0	0	0
9	$16,675	5	1	4	0	1
10	$13,713	2	2	0	0	1
11	$11,878	8	1	4	3	2
12	$11,042	3	1	0	2	2
13	$7,439	4	1	2	1	1
14	$6,712	1	1	0	0	0
15	$6,712	1	1	0	0	0
16	$5,886	3	0	3	0	0
17	$5,844	3	0	1	2	8
18	$4,826	2	0	1	1	0
19	$4,143	1	0	1	0	0
20	$4,143	1	0	1	0	0
21	$3,498	2	1	1	0	1
22	$2,718	2	1	1	0	0
23	$2,441	1	1	0	0	2
24	$2,438	1	0	1	0	2
25	$1,381	1	0	0	1	0
26	$1,381	1	0	0	1	0
27	$973	1	0	1	0	1
28	$654	1	0	0	1	1
29	$559	1	0	0	1	0
30	$484	0	0	0	0	1
31	$290	0	0	0	0	1

Attackathon | Movement Labs

Status

Status