As blockchain technology continues to evolve, the security of smart contracts has increasingly drawn attention from both academia and industry. The Move language, with its unique resource model and linear type system, provides a solid foundation for the security of digital assets. However, smart contracts still face new security challenges due to developer programming errors and the potential risks associated with cross-module interactions. This paper systematically analyzes the limitations of existing security tools within the Move ecosystem and reveals their unique vulnerability patterns. To address these issues, it introduces MoveScanner, a static analysis tool based on a control flow graph and data flow analysis architecture. By incorporating cross-module call graph tracking, MoveScanner can effectively identify five key types of security vulnerabilities, including resource leaks, weak permission management, and arithmetic overflows. In terms of design, MoveScanner adheres to a modular principle, supports bytecode-level analysis and multi-chain adaptation, and introduces innovative resource trajectory tracking algorithms and capability matrix analysis methods, thereby significantly reducing the false positive rate. Empirical results show that MoveScanner achieved 88.2% detection accuracy in benchmark testing, filling the gap in security tools in the Move ecosystem. Furthermore, this paper identifies twelve new types of security risks based on the resource-oriented programming paradigm and provides a theoretical foundation and practical experience for the development of smart contract security mechanisms. Future work will focus on combining formal verification and dynamic analysis techniques to build a security protection framework covering the entire contract lifecycle

翻译：随着区块链技术的不断发展，智能合约的安全性日益受到学术界和工业界的关注。Move语言凭借其独特的资源模型和线性类型系统，为数字资产的安全性提供了坚实基础。然而，由于开发者的编程错误以及跨模块交互带来的潜在风险，智能合约仍面临新的安全挑战。本文系统分析了Move生态中现有安全工具的局限性，揭示了其特有的漏洞模式。为应对这些问题，本文提出了MoveScanner——一个基于控制流图与数据流分析架构的静态分析工具。通过引入跨模块调用图追踪，MoveScanner能够有效识别资源泄漏、权限管理薄弱及算术溢出等五类关键安全漏洞。在设计层面，MoveScanner遵循模块化原则，支持字节码级分析与多链适配，并创新性地引入资源轨迹追踪算法与能力矩阵分析方法，从而显著降低了误报率。实证结果表明，MoveScanner在基准测试中达到88.2%的检测准确率，填补了Move生态安全工具的空白。此外，本文基于资源导向编程范式识别出十二类新型安全风险，为智能合约安全机制的开发提供了理论基础与实践经验。未来工作将聚焦于结合形式化验证与动态分析技术，构建覆盖合约全生命周期的安全防护框架。