Greater Ecosystem Security Through Audits and Move Registry

Security in Web3 is a collaborative effort, and audits provide a valuable checkpoint between teams and external reviewers. Audits offer more than just technical validation—they provide confidence, transparency, and a valuable outside perspective on application design and implementation.

While the Move language and Sui's object-based data model introduce meaningful safety guarantees, such as eliminating the possibility of double spend and re-entrancy exploits, audits still play a crucial role. They help teams identify logical flaws, validate custom business logic, and ensure systems behave as expected under various conditions. Auditors can also surface risks that might not be obvious during internal testing, especially in more complex logic or apps involving multiple composable smart contracts.

Having a range of experienced audit firms available to ecosystem projects gives teams more flexibility in finding the right fit, whether based on specialization, capacity, or approach. On Sui, developers can go a step further by making their code and audit results publicly accessible onchain, ensuring transparency isn’t just a promise, but a provable part of the deployment process.

Security firms auditing within the Sui ecosystem 

Whether you’re launching a DeFi protocol, a game, or any other onchain app, several audit firms are already active in the Sui ecosystem and ready to support teams at different stages of development.

• Asymptotic – Developed the Sui Prover, a standalone formal verification tool tailored for Sui smart contracts.
• Blaize.Security – Delivers full-stack Sui defenses, including manual audits, CI/CD security pipelines, post-deployment monitoring, and incident investigation.
• BlockApex – Uses game‑theoretic audit techniques to hunt down complex, less obvious vulnerabilities in Sui contracts.
• Certora – Offers hybrid audit reports that mathematically verify contract correctness alongside traditional manual review.
• CQR – Contributes custom tooling for the Sui ecosystem, offering developer-focused testing frameworks and specialized vulnerability-discovery utilities. 
• Halborn – A growing footprint in Move-based ecosystems.
• MoveBit – Among the first to integrate formal verification into Sui audits, while also hosting CTFs and sharing developer tooling.
• OtterSec – Performs in-depth manual reviews, often working closely with the team throughout the audit process.
• QuillAudits – Delivers dual-stage code reviews and pentesting for Web3 projects.
• Zellic – Brings Move expertise and active engagements with Sui projects.

Bringing transparency onchain with Move Registry

In addition to working with auditors, developers on Sui can also take advantage of Move Registry (MVR)—a native onchain package management system that allows projects to associate information such as source code, documentation, and audit reports directly with their published smart contracts.

By linking verified source code and third-party audits to deployed packages, MVR gives users and developers greater visibility into what they’re interacting with, while supporting ecosystem-wide standards for transparency and security. It’s a powerful complement to traditional audits, enabling trust through both code and metadata.

Security is a shared effort

As the Sui ecosystem continues to grow, strong security practices remain essential. Audits are a key part of that effort, but they work best when approached collaboratively and proactively.

Because smart contracts on Sui are highly composable, the security of one project can directly impact others. By working with trusted auditors and making audit results accessible using Move Registry, developers contribute to a broader culture of transparency and resilience. It’s this interconnection between applications, teams, and standards that helps weave a stronger, more secure foundation for the entire ecosystem.