Skip to content

Latest commit

 

History

History

(Not So) Smart Contracts

This repository contains examples of common Cairo smart contract vulnerabilities, featuring code from real smart contracts. Utilize the Not So Smart Contracts to learn about Cairo vulnerabilities, refer to them during security reviews, and use them as a benchmark for security analysis tools.

Features

Each Not So Smart Contract consists of a standard set of information:

  • Vulnerability type description
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts exhibiting the flaw
  • References to third-party resources providing more information

Vulnerabilities

Not So Smart Contract Description
Arithmetic overflow Insecure arithmetic in Cairo for the felt252 type
L1 to L2 Address Conversion Essential L2 address checks for L1 to L2 messaging
L1 to L2 message failure Messages sent from L1 may not be processed by the sequencer
Overconstrained L1 <-> L2 interaction Asymmetrical checks on the L1 or L2 side can cause a DOS
Signature replays Necessary robust reuse protection due to account abstraction
Unchecked from address in L1 Handler Access control issue when sending messages from L1 to L2

Credits

These examples are developed and maintained by Trail of Bits.

If you have any questions, issues, or wish to learn more, join the #ethereum channel on the Empire Hacking Slack or contact us directly.