install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/move-fuzzing" ~/.claude/skills/plurigrid-asi-move-fuzzing && rm -rf "$T"
manifest:
skills/move-fuzzing/SKILL.mdsource content
Move Smart Contract Fuzzing Skill
Comprehensive fuzzing toolkit for Move smart contracts on Aptos, Sui, and Movement chains.
Trit Assignment: MINUS (-1) — Sink/Verification
Fuzzing is a verification sink that consumes contracts and emits vulnerability reports.
Tools Overview
| Tool | Target | Engine | Features |
|---|---|---|---|
| MoveSmith | Aptos (compiler/VM) | libFuzzer, AFL++, honggfuzz | V1/V2 diff, optimization diff |
| sui-fuzzer | Sui Move | Coverage-guided | Stateful fuzzing, property testing |
| ItyFuzz | EVM + MoveVM | LibAFL hybrid | Symbolic + fuzzing, flashloan, decompile |
| Belobog | Move (research) | Custom | Framework for vulnerability detection |
Quick Start
ItyFuzz (Most Versatile)
# Install curl -L https://ity.fuzz.land/ | bash ityfuzzup # Fuzz Move contract on Sui ityfuzz sui -t <package_id>::<module>::<function> # Fuzz with onchain forking ityfuzz sui -t <target> --onchain-block-number <block>
MoveSmith (Aptos Compiler Fuzzing)
# Clone and build git clone https://github.com/aptos-labs/move-smith cd move-smith make build-docker ./run make # Run V1 vs V2 compiler differential fuzzing ./scripts/fuzz.sh v1v2 24 32 4 3 # 24 hours, 32 cores, 4KB max input, 3s timeout # Run optimization on/off differential ./scripts/fuzz.sh opt_noopt 24 16
Sui-Fuzzer (Sui-Specific)
# Clone with submodules git clone --recursive git@github.com:FuzzingLabs/sui-fuzzer.git cd sui-fuzzer # Stateless fuzzing make CONFIG_PATH="./config.json" TARGET_MODULE="my_module" TARGET_FUNCTION="my_func" # Stateful fuzzing (call sequences) make CONFIG_PATH="./config.json" TARGET_MODULE="calculator" TARGET_FUNCTIONS="add,sub" # Docker ./docker_run.sh CONFIG_PATH="./config.json" TARGET_MODULE="my_module" TARGET_FUNCTION="my_func"
Configuration
sui-fuzzer config.json
{ "use_ui": true, "nb_threads": 8, "seed": 4242, "contract": "./build/package/bytecode_modules/module.mv", "execs_before_cov_update": 10000, "corpus_dir": "./corpus", "crashes_dir": "./crashes", "fuzz_functions_prefix": "fuzz_", "max_call_sequence_size": 5 }
MoveSmith.default.toml
[generator] max_functions = 10 max_structs = 5 max_locals = 20 [fuzzing] timeout = 3 max_input_len = 4096
Fuzz Targets
MoveSmith Targets
| Target | Oracle | Description |
|---|---|---|
| Crash | Find crashes in compiler v2 |
| Differential | V1 vs V2 compiler differences |
| Differential | Optimization on vs off |
| Differential | AFL++ engine for V1/V2 |
| Differential | Pure random input generation |
Property Testing Patterns
module test::fuzzing { use std::vector; // Prefix with fuzz_ for sui-fuzzer discovery public fun fuzz_invariant(amount: u64): bool { // Your invariant check amount <= MAX_SUPPLY } // Stateful: operations that modify state public fun fuzz_deposit(account: &mut Account, amount: u64) { deposit(account, amount); assert!(account.balance >= amount, 1); } public fun fuzz_withdraw(account: &mut Account, amount: u64) { let pre_balance = account.balance; withdraw(account, amount); assert!(account.balance == pre_balance - amount, 2); } }
Vulnerability Detectors
ItyFuzz Detectors
- Integer overflow/underflow
- Precision loss
- Fund stealing
- Reentrancy exploitation
- Uniswap pair misuse
- Access control bypass
- Flash loan attacks
MoveScanner (Static Analysis)
# Cross-module vulnerability scanning movescanner analyze --path ./sources --output report.json
Detects:
- Resource leaks
- Capability misuse
- Cross-module call vulnerabilities
- Type safety violations
- Arithmetic issues
Coverage Analysis
MoveSmith Coverage
# Generate coverage report ./scripts/coverage.sh v1v2 # Coverage over time graph python scripts/coverage_graph.py logs/v1v2.log
Output Locations
| Tool | Crashes | Corpus |
|---|---|---|
| MoveSmith (libFuzzer) | | |
| MoveSmith (AFL++) | | |
| sui-fuzzer | | |
| ItyFuzz | | automatic |
Dependencies
Rust Tooling
cargo install cargo-fuzz cargo install cargo-afl cargo install cargo-binutils cargo install honggfuzz cargo install rustfilt # Coverage tools rustup component add --toolchain nightly llvm-tools-preview
System Dependencies
# macOS brew install gnuplot # Ubuntu apt-get install gnuplot libclang-dev
Best Practices
- Start with ItyFuzz for quick vulnerability discovery
- Use MoveSmith for deep compiler/VM testing
- Use sui-fuzzer for Sui-specific stateful testing
- Run parallel campaigns with GF(3) balanced allocation
- Combine static analysis (MoveScanner) with fuzzing
- Property testing for critical invariants
- Differential fuzzing for compiler upgrades
Resources
- MoveSmith - Aptos Labs
- sui-fuzzer - FuzzingLabs
- ItyFuzz - Fuzzland
- ItyFuzz Docs
- Move Audit Resources
- Belobog Paper
- MoveScanner Paper
GF(3) Conservation
This skill is MINUS (-1): a verification sink that absorbs contracts and emits bug reports. Pair with ERGODIC (0) development and PLUS (+1) deployment skills for balanced security.
End-of-Skill Interface
Integration with Gay.jl Coloring
Assign deterministic colors to fuzz targets for parallel coordination:
from enum import IntEnum class FuzzTrit(IntEnum): COMPILER = -1 # MoveSmith compiler fuzzing (sink) RUNTIME = 0 # VM/runtime fuzzing (transform) CONTRACT = 1 # User contract fuzzing (source) # GF(3) balanced fuzzing campaign CAMPAIGN = [ ("movesmith_v1v2", FuzzTrit.COMPILER), ("ityfuzz_vm", FuzzTrit.RUNTIME), ("sui_fuzzer_contract", FuzzTrit.CONTRACT), ] # Sum: -1 + 0 + 1 = 0 ✓
Autopoietic Marginalia
The interaction IS the skill improving itself.
Every use of this skill is an opportunity for worlding:
- MEMORY (-1): Record what was learned
- REMEMBERING (0): Connect patterns to other skills
- WORLDING (+1): Evolve the skill based on use
Add Interaction Exemplars here as the skill is used.