The Sui Foundation has expanded its existing bug bounty program to accept submissions against a full rewrite of the Sui virtual machine (VM), the core execution layer that processes every smart contract on the network. The new VM code went public on GitHub on March 16, 2026, and the foundation is targeting a Mainnet deployment in early April. Researchers can submit vulnerabilities through HackenProof at full Mainnet reward rates starting today, before the new VM has even reached Testnet.

The foundation said "Sui's execution layer is getting its most significant improvement since launch." A critical vulnerability finding pays out up to $500,000 USD. High-severity findings pay $50,000, medium findings pay $10,000, and low-severity issues pay $5,000. Sui's bug bounty program has been running since September 2023 and has paid out roughly $1 million in total rewards to date, according to HackenProof.

What Changed in the VM

The virtual machine is the runtime interpreter that executes Move bytecode. Move is the smart contract language used by both Sui and Aptos, originally developed for the Diem project at Meta. Unlike Ethereum's EVM, the Move VM verifies code safety before execution, enforcing type safety and memory constraints at the interpreter level. This architecture eliminates an entire class of smart contract vulnerabilities common on EVM-based chains. The rewrite does not change this security model but overhauls the internals in three ways.

First, the new VM introduces per-package caching. Currently, package code must be reloaded more frequently during execution. The new approach caches individual packages, reducing load times and memory consumption at scale. Second, the type storage and resolution system has been reworked, cleaning up how data types are tracked and matched across packages. Third, the instruction interpreter itself has been redesigned to change how individual operations are processed at runtime.

The foundation stated the rewrite also "lays the groundwork for future Move language features that the current architecture could not easily support," framing this as a platform upgrade rather than a performance patch alone.

Market Context

SUI is trading at approximately $1.06 USD as of March 16, 2026, with a market cap near $4.15 billion and a CoinGecko ranking of #28. DeFi total value locked on Sui sits at roughly $623 million, down from a peak of around $2.3 billion in July 2025. The network is processing approximately 866 real transactions per second under current load, against a theoretical maximum capacity exceeding 125,000 TPS.

Developers and traders should note that the VM's planned Mainnet deployment window overlaps with a scheduled 42.9 million SUI token unlock on April 1, 2026. The combination of a major infrastructure upgrade and a supply event in the same week may create conditions for short-term price volatility that market participants should monitor.

Regional Implications: Africa and South Asia

For developers in Africa and South Asia, the VM upgrade has direct practical consequences.

Sui launched SuiHub Lagos in July 2025, its fourth global physical hub after earlier hubs in Dubai, Vietnam, and Athens, to support Nigeria's developer community with Move programming workshops, office hours, and connections to international funding. The hub's activities extend into Ghana and Kenya. Christian Thompson, managing director of the Sui Foundation, noted at the time that "Lagos is home to one of the most energetic tech communities in the world right now." Adeniyi Abiodun, co-founder of Mysten Labs, has also personally launched a fund to support Nigerian students training as blockchain developers. The per-package caching improvements in the new VM are particularly relevant in low-bandwidth network environments common across parts of sub-Saharan Africa, where faster smart contract load times affect user experience directly. One application serving this market is Uhuru, a WhatsApp-based blockchain wallet targeting Southern African users for peer-to-peer transfers, merchant payments, airtime purchases, and utility bill payments.

For South Asian developers, Sui has run hackathons with regional participation through partnerships with DSRV and operates the Mysten Labs LAUNCH Career Program, a junior developer internship initiative with relevance to the large engineering talent pools in India, Pakistan, and Bangladesh. A faster, more memory-efficient VM lowers the operational overhead for developers running Sui infrastructure, and forward compatibility with future Move language features means that builders in both regions are investing in an architecture explicitly designed for extension.

The bug bounty window also represents a concrete opportunity. Vulnerability researchers across Africa and South Asia can submit findings at Mainnet rates before the new code reaches Testnet, an unusual early-access arrangement for a security review of this scale.

What Comes Next

Mainnet deployment is planned for early April 2026, though a significant vulnerability finding could affect that timeline. This VM rewrite is the first major infrastructure announcement of 2026 for Sui, following a 2025 that brought the Mysticeti v2 consensus upgrade (sub-second transaction finality), Walrus (decentralized storage), Seal (access control), and Nautilus (off-chain data indexing). The foundation has stated that 2026 will focus on moving from infrastructure-building toward consumer-facing products. A more efficient execution layer directly enables that shift, as the foundation has described.

Security researchers can review the new VM code in the MystenLabs/sui repository on GitHub and submit findings through the official bug bounty page at sui.io/bug-bounty-program.