Deployment Address Mismatch — Module Fails to Publish

Description

• In Aptos Move, a module must be deployed under the address declared in its module path (e.g., module owner::vault).

• The Aptos VM enforces that the publisher’s sender address must match the declared module address.

  In this case, the developer originally declared:

• But attempted to publish from the owner account (0xaceb6...), not the secret_vault account (0x94c3...).
  This mismatch caused the error

• Compiled modules address 0x94c3... does not match the sender 0xaceb6...

After correcting the declaration to:

The deployment succeeded, because the sender and module address aligned.

Risk

Likelihood:

• Reason 1: This bug always occurs at deployment when the named module address does not match the publishing account’s address.

• Reason 2: Developers may accidentally set the wrong module path (secret_vault::vault) if they misunderstand how Move.toml named addresses map to deployment accounts.

Impact:

• Impact 1: Deployment fails completely, preventing the contract from being published.

• Impact 2: If multiple developers are involved, one might incorrectly assume the module is deployable under secret_vault, leading to confusion, delays, or failed CI/CD deployments.

Proof of Concept

Failing Deployment

Error:

Successful Deployment

Result:

Recommended Mitigation

• Always ensure the declared module address (first named address) matches the account deploying the contract.

• In Move.toml, clearly document which address placeholder (owner or secret_vault) is intended for deployment.

• If a different account must deploy (e.g., secret_vault), ensure you switch your --profile sender to that account instead of changing the module path.