(Not So) Smart Contracts

This repository contains examples of common Cairo smart contract vulnerabilities, featuring code from real smart contracts. Utilize the Not So Smart Contracts to learn about Cairo vulnerabilities, refer to them during security reviews, and use them as a benchmark for security analysis tools.


Each Not So Smart Contract consists of a standard set of information:

  • Vulnerability type description
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts exhibiting the flaw
  • References to third-party resources providing more information


Not So Smart ContractDescription
Improper access controlsFlawed access controls due to StarkNet account abstraction
Integer division errorsUnforeseen results from division in a finite field
View state modificationsLack of prevention for state modifications in view functions
Arithmetic overflowInsecure arithmetic in Cairo by default
Signature replaysNecessary robust reuse protection due to account abstraction
L1 to L2 Address ConversionEssential L2 address checks for L1 to L2 messaging
Incorrect Felt ComparisonUnexpected results from felt comparison
Namespace Storage Var CollisionStorage variables unscoped by namespaces
Dangerous Public Imports in LibrariesAbility to call nonimported external functions


These examples are developed and maintained by Trail of Bits.

If you have any questions, issues, or wish to learn more, join the #ethereum channel on the Empire Hacking Slack or contact us directly.