Awesome Starknet Security

A curated list of awesome Starknet security resources, tools, CTFs and more.

Please check the contribution guidelines for information on formatting and writing pull requests.

Contents

• Tools
• CTFs and Wargames
  • CTFs
  • CTF writeups
  • Wargames
• Audit reports
  • Cairo
  • Cairo 0
• Blogposts and Tutorials
  • Writeups
  • Video tutorials
  • Twitter threads
• General
  • Repositories and Examples
• License

Tools

• Aegis - Cairo Formal verification tool.
• amarna - Static-analyzer and linter for the Cairo programming language.
• Cairo Fuzzer - Cairo Fuzzing tool.
• cairo-profiler - Profiler for Cairo and Starknet.
• cairovm.codes - Compile and debug Sierra code.
• Caracal - Static analyzer tool over Sierra.
• entro - Decoding and indexing Starknet data.
• Semgrep - Static analyzer for Cairo.
• sierra-analyzer - Security toolkit in Rust for analyzing Sierra files.
• Starknet Foundry - Starknet contracts development toolkit.
• StarkRekt - Check and reset their token spending permissions on Starknet.
• StarkRevoke - Token revocation tool for Starknet.
• Thoth - Decompiler and security toolkit.

CTFs and Wargames

CTFs

• Curta puzzle #13: Ping Pong - Starknet messaging challenge.
• Paradigm CTF 2022 - Paradigm CTF with Solidity and Cairo challenges.
• StarknetCC-CTF Lisbon 2022 - Lisbon 2022 Cairo CTF.

CTF writeups

• StarknetCC-CTF - StarknetCC 2022 CTF writeup by pscott.
• StarknetCC-CTF - StarknetCC 2022 CTF writeup by Ledger.

Wargames

• cairo-damn-vulnerable-defi - Cairo and Starknet challenges inspired by Capture the Ether.
• Node Guardians - Online wargame and challenge with quests and standalone challenges.
• Starknet-Security-Challenges - Cairo and Starknet challenges inspired by Capture the Ether.
• Underhanded Cairo - Cairo challenges in cairopractice.com.

Audit reports

Cairo

• Argent Account and Multisig - Argent account and Argent Multisig for Starknet audit by Consensys Diligence.

• AVNU - AVNU audit by Nethermind.

• Braavos - Braavos Account audit by Nethermind.

• Carmine - Carmine audit by Nethermind.

• Nimbora - Nimbora V2 report by Cairo- Security-Clan.

• Opus - Opus Code4rena contest report.

• Pragma - Pragma oracle audit by Nethermind.

• Unruggable.meme - Unruggable meme protocol community audits by Antoine M., Credennce0x, 0xerim.

• ZKX - ZKX audit by Nethermind.

Cairo 0

• Briq - Briq protocol audit by Nethermind.

• ChainSecurity DAI Bridge Audit - MakerDAO's DAI bridge audit by ChainSecurity.

• Empiric Netowrk - Empiric network audit by Zellic.

• SithSwap - SithSwap AMM by Nethermind.

• SHA256 from Cartridge - audit of SHA-256 implementation from Cartridge by Nethermind.

Blogposts and Tutorials

Writeups

• Adventures with Account Abstraction – Risks and Mitigations in __validate__ - Considerations for __validate__ function of Starknet smart accounts.
• Auditing Cairo 1.0 Contracts - Cairo auditing tips and pitfalls.
• Cairo 0.x Security - Cairo 0.x pitfalls and considerations.
• Cairo Contracts and pitfalls overview - Cairo traps and vulnerabilities.
• Cairo: the Starknet way to writing safe code - Comparing Cairo and Solidity for smart contracts.
• Introduction to Cairo 1 smart-contracts security - Introduction to Cairo 1 security, tips and considerations.
• Under the hood of Cairo 1 - Understanding Sierra code.
• Zero-Click Argent-X Wallet Contract Vulnerability, Explained - Vulnerability in implementing Starknet smart account.

Video tutorials

• Cairo Security (Peteris Erins) - Spearbit seminar on Cairo security.
• Code4rena x Starknet Basecamp - Starknet basecamp for first Cairo contest.

Twitter threads

General

Repositories and Examples

• not-so-smart-cairo - Examples of common Cairo smart contract vulnerabilities by Trail of Bits.

---

License

To the extent possible under law, amanusk has waived all copyright and related or neighboring rights to this work.