Auditing Cairo 1.0 Contracts

A challenge we face when there has been a major upgrade or change to a language or protocol is to bootstrap the experience necessary to audit code in the new language.

Although Cairo 1 is substantially different to Cairo 0, the problem is not as daunting as it might first appear, and we can do more than point out good practices and wait for vulnerabilities to come to light by being exploited.

This article will therefore suggest an approach that can be used now when auditing Cairo 1 contracts.

We can informally categorise the potential issues as

• Smart Contract Issues
• Starknet Issues
• Cairo Issues

Smart Contract Issues

Cairo code runs in a similar context to Solidity contracts, so we can look for issues such as

• Correct Access control
• Sanitising / checking function inputs for validity
• For upgradable contracts ensuring initialisation is done correctly (likely only once, and by an administrator)

Starknet Issues

Issues that are particular to Starknet that we wouldn’t see on EVM include

• Storage clashes due to name clashes
• The view function decorator not being enforced, allowing unintended state change
• Issues arising from the fact that accounts are handled…