Looking for StarkNet & Cairo Architecture Resources

I went down this exact rabbit hole last year when I started doing StarkNet reviews, and I’ll be honest — Cairo security only started making sense once I stopped trying to map it to Solidity.

What helped me first was Cairo VM internals, especially memory and segments. Not in a “read everything” way, but by slowly understanding why memory is structured the way it is and how builtins fit into execution. Once that clicked, a lot of things that felt weird in Cairo stopped feeling random.

For StarkNet architecture, I found it useful to trace a transaction end to end — calldata in, execution, state diff, proof. Reading a few StarkWare architecture blogs alongside the OS repo helped more than docs alone.

Storage and key computation is where I’ve seen the most subtle bugs. People assume storage behaves like Solidity mappings, and that’s usually wrong. Audit reports were actually the best resource here because you see the same mistakes repeated.

Account abstraction is powerful, but it’s also easy to mess up validation logic. I spent time reading multiple wallet implementations instead of just one.

Biggest lesson for me: if you can’t explain what gets proven and why, you’re probably missing something important.

I came into StarkNet from a more infra side, so I started with how the system works, not contracts.

Before even touching Cairo seriously, I spent time understanding STARKs at a high level — execution traces, constraints, why Cairo exists in the first place. I didn’t read full papers initially, just good explanations until the mental model stuck.

For Cairo VM, I learned more from reading code and issues than tutorials. Skimming the VM and StarkNet OS repos gave me context docs didn’t. Comments in PRs are surprisingly educational.

StarkNet’s state model is another thing that’s easy to underestimate. It’s not just “storage variables” — it’s how diffs are produced, committed, and proven. Once I understood that flow, contract behavior made a lot more sense.

If I had to give one piece of advice: treat StarkNet less like “Ethereum but different” and more like a verifiable computation pipeline. That shift helped me a lot.

I teach some of this stuff now, and what I see people struggle with most is trying to learn everything at once.

What worked for me was breaking it into layers.

First, I spent time on STARK fundamentals without touching Cairo code. Once I understood what a trace is and what constraints do, Cairo stopped feeling magical.

Then I treated Cairo as a proving language, not a smart contract language. Reading personal blogs and notes from people documenting their learning helped more than official docs here, because they show the confusion points.

Only after that did I go deep into StarkNet specifics — sequencer, provers, account abstraction. Comparing StarkNet AA with Ethereum EOAs made the design choices much clearer.

One thing I always recommend: read audit reports and postmortems early. They show real failure modes, not ideal examples.

If a resource only tells you how to do something but never explains why it exists, it’s probably not enough for security work.