This repository contains examples of common Cairo smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Cairo vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.
Each Not So Smart Contract includes a standard set of information:
- Description of the vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- Real-world contracts that exhibit the flaw
- References to third-party resources with more information
| Not So Smart Contract | Description |
|---|---|
| Improper access controls | Broken access controls due to StarkNet account abstraction |
| Integer division errors | Unexpected results due to division in a finite field |
| View state modifications | View functions don't prevent state modifications |
| Arithmetic overflow | Arithmetic in Cairo is not safe by default |
| Signature replays | Account abstraction requires robust reuse protections |
| L1 to L2 Address Conversion | L1 to L2 messaging requires L2 address checks |
| Incorrect Felt Comparison | Unexpected results can occur during felt comparison |
| Namespace Storage Var Collision | Storage variables are not scoped by namespaces |
| Dangerous Public Imports in Libraries | Nonimported external functions can still be called |
These examples are developed and maintained by Trail of Bits.
If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.