Awesome Starknet Security
A curated list of awesome Starknet security resources, tools, CTFs and more.
Please check the contribution guidelines for information on formatting and writing pull requests.
Contents
Tools
- Aegis - Cairo Formal verification tool.
- amarna - Static-analyzer and linter for the Cairo programming language.
- Cairo Fuzzer - Cairo Fuzzing tool.
- Caracal - Static analyzer tool over Sierra.
- Semgrep - Static analyzer for Cairo.
- Starknet-Foundry - Starknet contracts development toolkit.
- Thoth - Decompiler and security toolkit.
CTFs and Wargames
CTFs
- Curta puzzle #13: Ping Pong - Starknet messaging challenge.
- Paradigm CTF 2022 - Paradigm CTF with Solidity and Cairo challenges.
- StarknetCC-CTF Lisbon 2022 - Lisbon 2022 Cairo CTF.
CTF writeups
- StarknetCC-CTF - StarknetCC 2022 CTF writeup by pscott.
- StarknetCC-CTF - StarknetCC 2022 CTF writeup by Ledger.
Wargames
- cairo-damn-vulnerable-defi - Cairo and Starknet challenges inspired by Capture the Ether.
- Node Guardians - Online wargame and challenge with quests and standalone challenges.
- Starknet-Security-Challenges - Cairo and Starknet challenges inspired by Capture the Ether.
- Underhanded Cairo - Cairo challenges in cairopractice.com.
Audit reports
Cairo
-
Argent Account and Multisig - Argent account and Argent Multisig for Starknet audit by Consensys Diligence.
-
Starknet ID - Starknet ID audit by Nethermind.
-
zkLend - zkLend audit by Nethermind.
Cairo 0
-
Briq - Briq protocol audit by Nethermind.
-
ChainSecurity DAI Bridge Audit - MakerDAO's DAI bridge audit by ChainSecurity.
-
Empiric Netowrk - Empiric network audit by Zellic.
-
SithSwap - SithSwap AMM by Nethermind.
-
SHA256 from Cartridge - audit of SHA-256 implementation from Cartridge by Nethermind.
Blogposts and Tutorials
Writeups
- Auditing Cairo 1.0 Contracts - Cairo auditing tips and pitfalls.
- Cairo 0.x Security - Cairo 0.x pitfalls and considerations.
- Cairo Contracts and pitfalls overview - Cairo traps and vulnerabilities.
- Adventures with Account Abstraction – Risks and Mitigations in
__validate__
- Considerations for__validate__
function of Starknet smart accounts. - Under the hood of Cairo 1 - Understanding Sierra code.
- Zero-Click Argent-X Wallet Contract Vulnerability, Explained - Vulnerability in implementing Starknet smart account.
Video tutorials
- Cairo Security (Peteris Erins) - Spearbit seminar on Cairo security.
Twitter threads
General
Repositories and Examples
- not-so-smart-cairo - Examples of common Cairo smart contract vulnerabilities by Trail of Bits.
License
To the extent possible under law, amanusk has waived all copyright and related or neighboring rights to this work.