🚀 I Want to Become a StarkNet/Cairo Auditor — Here’s My Starting Point & I’d Love a Roadmap

Honestly, I made this switch last year (EVM → StarkNet/Cairo), and the biggest shock for me was realizing Cairo is not “Solidity but different.” It’s a totally different mental model. The sooner you drop EVM assumptions, the easier the transition becomes. What helped me the most:

I spent the first 2–3 weeks just trying to understand how the Cairo VM thinks. Memory segments, builtins, implicit args… all of that felt super confusing at first. Once that clicked, the language suddenly felt way more logical.

Storage was another area where I kept messing up. Cairo storage + StarkNet’s model is nothing like Solidity mappings. Stuff like LegacyMap, how storage keys get computed, how account contracts work by default… I kept running into weird bugs until I really sat down and studied how StarkNet handles state.

Vulnerabilities are also different. A lot of the typical Solidity issues don’t even show up here, but weird Cairo-specific stuff appears instead — incorrect u256 handling, unsafe constructors, hint-related surprises, map key mistakes, people assuming upgradeability works like EVM proxies… I learned most of this by reading audit reports from Lambdaclass and Nethermind and trying to reproduce their findings.

What really pushed me forward was picking a few Cairo repos and doing small self-audits. I did an OZ account contract, then a small AMM someone built in Cairo, and one NFT project. Writing those findings down like a real audit was honestly more valuable than any tutorial. Tooling-wise: Scarb, StarkNet Foundry, Starkli — get comfortable with these. They’ll save you weeks.

And if you’re not already in the StarkNet Discord and the Lambdaclass repos… join them. StarkNet is tiny compared to EVM, people actually answer your questions, and you see stuff break in real time, which is weirdly helpful. If you stick with it for a few months after your Cyfrin course, you’ll be ahead of most people. There just aren’t many Cairo auditors yet.

If you want, I can share what I’d skip/avoid too — I wasted time on a few things early on that didn’t matter.

@CryptoSagePriya Really appreciate your breakdown — it clears up a lot. You mentioned there were things you’d skip or avoid when learning Cairo. I’d love to know what those were so I don’t waste time on the wrong stuff.

I’ve been reviewing Cairo code for a while now, and the thing nobody warns you about is how much of StarkNet security depends on understanding the system around the contract, not just the contract itself. Coming from Solidity, you expect the contract to be the center of everything. In StarkNet, a lot of the “danger zones” sit outside your file: syscalls, class hashes, how upgradeability is handled, how the account contract behaves, even how the sequencer batches things.

One example: I’ve seen people write perfectly clean Cairo functions but completely mis-handle how storage keys get computed, especially when mixing structs + maps. Looks harmless in tests, but breaks in production because the hashing model isn’t intuitive at all compared to the EVM layout.

Another thing that caught me early — Cairo’s type system gives you a false sense of safety. People assume Result and Option patterns magically prevent bad states. They don’t. You still need to police every edge case manually. I’ve found more bugs in “overly safe”-looking Cairo code than in sloppy ones.

And if you plan to audit seriously, don’t underestimate StarkNet’s account model. It changes basic assumptions around auth, signatures, and replay protection. A lot of rookie auditors look at business logic but forget to validate how the account contract is interacting with it.

Once these mental shifts settle, the audits become fun. But those are the areas I’d say you should pay extra attention to while learning — because they’re where 80% of real-world issues hide.

If you want, I can share a list of “Cairo gotchas” I keep for myself — random things I’ve seen break in the wild that don’t show up in docs.

Please share that list of "Cairo Gotchas!"