Cairo & Starknet Security

Cairo Smart Contract
Security

Starknet changes accounts, messages, upgrades, and math. Learn the Cairo audit checks before your Solidity instincts miss the bug.

Contract accounts L1-L2 handlers Class hash upgrades
JohnnyTime Guide by JohnnyTime
Cairo language logo artwork
Cairo Audit Surface Different VM. Different review habits.
Starknet
Message Flow

Validate L1 source, replay rules, and failed messages.

Cairo Audit Note
check __validate__
trace l1_handler
review class_hash
test felt252 bounds

Cairo auditing is a
different review surface.

Your EVM instincts still help. These are the places where they need backup.

01
Contract accounts
  • Validate signatures
  • Check nonce flow
  • Review custom wallet logic
02
Async messages
  • Verify L1 source
  • Map replay paths
  • Handle failed messages
03
Cairo types
  • Trace felt252 assumptions
  • Check u256 conversions
  • Review bounds and division

Review Cairo contracts
in the right order.

Model authority first. Then messages, upgrades, and numeric assumptions.

1

Account model

  • Check __validate__
  • Review signer assumptions
  • Trace nonce handling
2

Cross-layer messages

  • Validate l1_handler source
  • Map replay and cancellation
  • Test failed bridge states
3

Upgrade surface

  • Protect class hash changes
  • Review initializer state
  • Trace admin recovery paths
4

Numeric assumptions

  • Check felt252 and u256
  • Review rounding and division
  • Test boundary values

Build Starknet
security judgment.

Practice Cairo-specific review habits: accounts, messages, upgrades, and proof-driven findings.

Hands-on labs Cairo attack surfaces Auditor workflow