Cairo Audit

Cairo audits, from day one.

Senior manual review of Cairo contracts on Starknet, Madara, and Kakarot. Felt arithmetic, storage layout, account contract logic, and the prover-side execution model.

Starknet · Madara · Kakarot · senior auditors only

Request an intro call
Why this exists

ZK doesn’t mean bug-free.

Cairo’s provability story is real and powerful. It tells you the program executed as written. It doesn’t tell you the program was written correctly. The bugs we look for in Cairo — felt math under arithmetic edges, storage collision in maps, account contract signer mistakes — are bugs whose proofs verify just fine.

Scope

What’s in the audit.

What we check

Cairo-specific risk classes

Storage layout collisions, felt arithmetic and overflow semantics, signer trust at the account-contract boundary, OZ Cairo upgradeable patterns, and hint injection on prover-side execution.

Tools

Scarb, Starknet Foundry, manual review

Starknet Foundry for invariant and fuzz tests, Scarb-based test runners, and a heavy manual pass over the felt math and storage logic where most Cairo bugs live.

Targets

Starknet, Madara, Kakarot

Cairo 1 / Cairo 2.x contracts on Starknet mainnet, app-chains built on Madara, and Kakarot (Cairo EVM equivalence) deployments.

Be our first Cairo case study

No public Cairo audits yet.

We’ve audited across Solidity, Solana, and Rust ecosystems, but our published Cairo work is still ahead of us. If you’re shipping on Starknet, Madara, or Kakarot, we’d be glad to be your first listed audit — with the same depth, tooling, and report quality we apply to every other engagement.

Talk to us about a Cairo audit
How pricing works

Scoped to your codebase.

Cairo audits are sized to your specific contracts, your account architecture, and your timeline. Talk to us for a scope and quote.

Request an intro call
FAQ

Questions.

Not yet. Our public engagements are concentrated in Solidity, Solana, and Rust ecosystems. If you're shipping Cairo, we'd be glad to be your first listed audit — and we'd treat the engagement with the same depth we apply to every other language we cover.

Felt arithmetic is not 256-bit modular arithmetic, storage maps use a different collision model, and account abstraction is the default rather than the exception. The biggest mental shift: Cairo's safety story is built on provability, not on the EVM's gas-and-revert model.

Both. Most production work has moved to Cairo 2.x and we follow the language and OZ Cairo ecosystem closely. Cairo 1 legacy code is in scope on request.

Yes. Account abstraction is the default on Starknet, so account contract review (signer logic, multicall, validation hooks) is a first-class scope item rather than an afterthought.

Yes. App-chains built on Madara and Cairo-EVM equivalence layers like Kakarot are in scope. We tag chain-specific assumptions explicitly so the report is portable across deployments.

Two to four weeks for typical scope. We scope and quote against your specific codebase before you commit.

From our research

Go deeper.

Year in review

2025 exploit lessons: $3.4B in DeFi losses and what they revealed

The cross-ecosystem patterns from 2025's exploits — applicable to any smart contract language, Cairo included.

Methodology

Defense in depth: our audit workflow

The layered process we apply to every engagement, regardless of language.

Method

Fuzzing and formal verification in blockchain security

When property-based testing finds what manual review can't, and how it applies to ZK-friendly languages like Cairo.

Other services

Need something else?

Parent

Smart contract audits

Back to the parent service — see all languages, methodology, and recent engagements.

Sibling language

Solidity audit

Our most populated language vertical — Ethereum and every major EVM chain.

Subscription

Security Audit Subscription

Ongoing weekly review during development — Cairo or any other language.

Ready when you are

Ready to audit?

Send us your repo and a target date. We’ll come back with a scope and a quote within 24 hours.

Request an intro call