Cairo/Starknet Auditor

Audience: auditors and engineers reviewing Cairo contracts, Starknet protocols, account abstraction, bridges, and L2 messaging.

Outcomes

• Understand Cairo syntax, storage, components, traits, felt/arithmetic behavior, and Starknet accounts.
• Review account abstraction, signature validation, nonce handling, and transaction flows.
• Analyze L1/L2 messaging, bridge assumptions, and sequencer/finality risks.

Roadmap

Stage	Focus	Proof of work
Cairo language	Types, storage, components, traits, testing	Build and test a small token or vault.
Starknet model	Accounts, contracts, classes, deployment, fee model	Explain account abstraction trust boundaries.
Security review	Access control, arithmetic, signatures, upgradeability	Write a report for a toy Cairo protocol.
Messaging	L1/L2 messages, replay, finality, bridge accounting	Threat model a bridge deposit/withdraw flow.
Advanced	Provers, DA, sequencer, appchain assumptions	Document protocol-specific assumptions.

Must Learn

Resource	Why
Cairo Book	Primary Cairo language reference.
Starknet Docs	Platform, accounts, contracts, and tooling reference.
Starknet Foundry	Testing framework for Cairo contracts.
OpenZeppelin Cairo Contracts	Security-reviewed Cairo components and patterns.
Awesome Starknet Security	Curated Cairo/Starknet security tools, audits, CTFs, and practice material.

Review Checklist

• Signature validation, nonces, and account abstraction paths are explicit.
• Storage layout and upgrade behavior are documented.
• Arithmetic assumptions are verified for field behavior and conversions.
• L1/L2 message handlers validate caller, payload, replay protection, and finality assumptions.
• Admin functions and emergency controls have clear governance and monitoring.