Move Revealed: The Revela Decompiler
by Verichains and Aptos Labs
· Why Decompilation?
· How to Use
· For the community, by the community
The Move language for smart contracts is revolutionizing the development of secure and resilient blockchains like Aptos. As contracts become more complex and play a vital role in safeguarding digital assets, it is essential to empower users with the means to verify the safety of the underlying code. Unfortunately, it is common practice in blockchains to deploy code solely in low-level bytecode form, without accompanying source code. This lack of transparency creates a fertile ground for malicious actors to insert malicious code without detection. Moreover, without the source code, the community cannot audit or review the contracts effectively, stifling collaborative efforts to identify and fix security issues.
In response to this challenge, Verichains has worked with Aptos Labs to develop the Revela Decompiler, the first-ever open-source tool designed to decompile Move bytecode back to its original source code, which can then be fed into the Move compiler once again. With the ability to independently verify and analyze code, Revela establishes industry standards in fostering a secure, open and trusted environment for learning and benchmarking development.
Why Decompilation?
Move bytecode — as it is stored on-chain and processed by the Move VM — provides all essential information needed to reconstruct the original source program. There may in fact exist proprietary tools which mine Move bytecode for desired information. Privacy of information contained in Move bytecode could therefore never be guaranteed.
The Revela decompiler intends to level the field here and gives everybody access to a tool which can visualize Move bytecode as a Move program. There are multiple advantages to such a tool:
- Verified by Construction: We can show 100% correct source code corresponding to the bytecode on-chain. No mechanism is needed as e.g. is provided for Ethereum by Etherscan, where source code first needs to be uploaded to a service which then performs a (non-decentralized) verification step.
- Enhanced Trust: By making the decompiler public, we are prioritizing transparency within the Aptos ecosystem. This increased transparency not only allows builders and users to fully understand how smart contracts function, but also helps in identifying any hidden malicious code or vulnerabilities. This ultimately strengthens trust and security within the ecosystem, giving users peace of mind.
- Independent Verification: With the ability to independently verify and analyze smart contract code, users and developers have the power to ensure the integrity of protocols and apps. By empowering users, we are fostering a more secure, open, and trusted environment for everyone involved.
- Knowledge Sharing: The decompilation tool serves as an invaluable educational resource for emerging developers. By analyzing secure smart contracts and understanding their inner workings, developers can apply these insights to create more robust and secure applications.
- Setting Industry Standards: Exposure to a variety of smart contract codes through the decompiler aids in establishing industry-wide best practices and security standards. By observing and learning from a diverse range of secure contracts, developers can benchmark their own work and implement robust security measures.
How to Use the Decompiler
The Revela decompiler is integrated into the Aptos CLI. To begin using it, you must first install Revela using the CLI update command. Here is an example how it works:
# install Revela for first time usage
aptos update revela
# download some package from chain, here the Move standard library
aptos move download --account 0x1 --bytecode --package MoveStdlib
# output
ls MoveStdlib/bytecode_modules
-> acl.mv bcs.mv ... vector.mv
# decompile!
aptos move decompile --package-path MoveStdlib/bytecode_modules
# output
ls MoveStdlib/bytecode_modules
-> acl.mv acl.mv.move bcs.mv bcs.mv.move ... vector.mv vector.mv.move
The decompiled Move file is created side-by-side with the original bytecode file. For example, vector.mv
is the bytecode of the 0x1L::vector
module of Move, and vector.mv.move
econtains the output of the decompiler. Let’s take a peek into the last file:
module 0x1::vector {
public fun contains<T0>(arg0: &vector<T0>, arg1: &T0) : bool {
let v0 = 0;
while (v0 < length<T0>(arg0)) {
if (borrow<T0>(arg0, v0) == arg1) {
return true
};
v0 = v0 + 1;
};
false
}
..
}
This is the implementation of the contains function on vectors in the standard library. As seen, the code generated by Revela is quite readable.
For a more friendly UI with enhanced accessibility and user experience, Revela is also available as an online tool at https://revela.verichains.io.
Looking forward, Verichain is planning additional features for the Revela decompiler. Verichains’ dedication to adapting the tool to the evolving updates and features of the Move language and Aptos system underscores its commitment to the Move language community.
For the community, by the community
The Revela Decompiler is in open source under Apache license, fostering a collaborative community effort, encouraging developers and security researchers worldwide to dive into its functionalities and further development. You can find it on Verichains GitHub at https://github.com/verichains/revela.
With the ultimate goal of making these tools widely accessible, Verichains is leading the way towards a new era of transparency and security for developers. They are actively exploring opportunities to extend Revela’s functionality to other blockchains.
Dr. Nguyen, the Chief Research and Development engineer at Verichains, shared his thoughts on the Revela Decompiler:
“The Revela decompiler effectively open-sources all the smart contracts on the Aptos blockchain, enabling comprehensive security audits of on-chain code that were previously infeasible. It is really a game changer!”
About Verichains Verichains is a leading blockchain security provider specializing in cryptanalysis, audits, and app security. Renowned for mitigating major Web3 hacks like Ronin and BNB Chain Bridge, we blend research with practical solutions for comprehensive industry protection. Verichains’ world-class security and cryptography research team has successfully identified critical vulnerabilities impacting billions of dollars across the industry, uncovering flaws within the core of Multi-Party Computation (MPC) and Zero-Knowledge Proofs (ZKP) implementations by major vendors. As a trusted security partner to leading Web3 companies and Crypto Exchanges like BnB Chain, Polygon Labs, WEMIX, Aptos, Klaytn, Bullish and DWF Labs, Verichains leverages its deep roots in traditional cybersecurity to deliver cutting-edge solutions for a safer, more secure Web3 ecosystem.