move-over://landing

Move-over

Browser-based Move security wargame

Move-over is a browser-first CTF for Move security. Read vulnerable contracts, write the `run()` exploit path, and return the right `*Flag` to clear each level.

Move-over is open source. Explore the code on GitHub.

Format

Capture-the-Flag

Runtime

100% in Browser

Goal

Return the `*Flag`

Live Security Feed

[00:00:01] booting move-over browser runtime...

[00:00:02] loading challenge set: artifact, coin_collector, sticky_treasure

[00:00:03] objective detected: return level::Flag

[00:00:04] parsing run() template... ready

[00:00:05] no wallet requested, no network required

[00:00:06] partner channel connected: OpenZeppelin

[00:00:07] exploit simulation sandbox: active

[00:00:08] verifier status: waiting for your code...

[00:00:09] write run() and press Run_

[00:00:01] booting move-over browser runtime...

[00:00:02] loading challenge set: artifact, coin_collector, sticky_treasure

[00:00:03] objective detected: return level::Flag

[00:00:04] parsing run() template... ready

[00:00:05] no wallet requested, no network required

[00:00:06] partner channel connected: OpenZeppelin

[00:00:07] exploit simulation sandbox: active

[00:00:08] verifier status: waiting for your code...

[00:00:09] write run() and press Run_

Move Smart Contract Security in a Browser Runtime

Move-over is a browser-based security playground where you learn by doing. Instead of reading theory only, you inspect vulnerable contract code, write an exploit flow, run it instantly, and verify that your solution can return the expected proof object. The core loop is practical: read, write, run, return, and improve.

How the Move-over Browser Workflow Operates

Every level runs in an in-browser runtime, so there is no wallet setup, chain state dependency, or local VM requirement to start practicing. You focus on Move security logic: ownership checks, capability misuse, object state transitions, and how to craft a safe, reproducible exploit path that passes verification.

Write `run()`, Return the `Flag`, and Pass the Level

Your target is explicit: write the `run()` body so it can return the correct `*Flag` object for the challenge. If the return type and behavior match the level contract requirements, the level is cleared and your progress is saved.

Core Skills You Practice
  • Read and reason about Move smart contract security behavior.
  • Write exploit-oriented logic in a controlled browser environment.
  • Return proof objects correctly and validate deterministic outcomes.
Recommended Starting Path

Start with Artifact for fundamentals, continue with Sticky Treasure for object manipulation patterns, and then tackle Flash Vault for deeper exploit reasoning. This sequence builds practical Move security intuition step by step.