Move-over
Browser-based Move security wargame
Move-over is a browser-first CTF for Move security. Read vulnerable contracts, write the `run()` exploit path, and return the right `*Flag` to clear each level.
Move-over is open source. Explore the code on GitHub.
Format
Capture-the-Flag
Runtime
100% in Browser
Goal
Return the `*Flag`
[00:00:01] booting move-over browser runtime...
[00:00:02] loading challenge set: artifact, coin_collector, sticky_treasure
[00:00:03] objective detected: return level::Flag
[00:00:04] parsing run() template... ready
[00:00:05] no wallet requested, no network required
[00:00:06] partner channel connected: OpenZeppelin
[00:00:07] exploit simulation sandbox: active
[00:00:08] verifier status: waiting for your code...
[00:00:09] write run() and press Run_
[00:00:01] booting move-over browser runtime...
[00:00:02] loading challenge set: artifact, coin_collector, sticky_treasure
[00:00:03] objective detected: return level::Flag
[00:00:04] parsing run() template... ready
[00:00:05] no wallet requested, no network required
[00:00:06] partner channel connected: OpenZeppelin
[00:00:07] exploit simulation sandbox: active
[00:00:08] verifier status: waiting for your code...
[00:00:09] write run() and press Run_
Move Smart Contract Security in a Browser Runtime
Move-over is a browser-based security playground where you learn by doing. Instead of reading theory only, you inspect vulnerable contract code, write an exploit flow, run it instantly, and verify that your solution can return the expected proof object. The core loop is practical: read, write, run, return, and improve.
How the Move-over Browser Workflow Operates
Every level runs in an in-browser runtime, so there is no wallet setup, chain state dependency, or local VM requirement to start practicing. You focus on Move security logic: ownership checks, capability misuse, object state transitions, and how to craft a safe, reproducible exploit path that passes verification.
Write `run()`, Return the `Flag`, and Pass the Level
Your target is explicit: write the `run()` body so it can return the correct `*Flag` object for the challenge. If the return type and behavior match the level contract requirements, the level is cleared and your progress is saved.
Core Skills You Practice
- Read and reason about Move smart contract security behavior.
- Write exploit-oriented logic in a controlled browser environment.
- Return proof objects correctly and validate deterministic outcomes.
Recommended Starting Path
Start with Artifact for fundamentals, continue with Sticky Treasure for object manipulation patterns, and then tackle Flash Vault for deeper exploit reasoning. This sequence builds practical Move security intuition step by step.