Why Cairo Security: Motivated by the zkLend Hack
Exploring Cairo Security: Insights from the zkLend Hack and the Cairo Smart Contract Hacking Scholarship by Real Jonny Time and Starknet.
Why I Want to Learn Cairo Smart Contract Security
The blockchain environment is changing beyond Solidity and Ethereum, and Starknet’s Cairo language offers a curious new area. I started auditing smart contracts with Solidity and Foundry, and I view Cairo as a chance to expand my knowledge and become a better security researcher.
My Key Motivations for Learning Cairo:
Learning more about Starknet’s unique structure will help me advance my security expertise beyond Ethereum-based chains.
Gaining expertise in Cairo and Solidity would help me adjust to various blockchain ecosystems.
Staying ahead of the curve the need for security experts with a focus on Cairo is growing along with Starknet adoption.
Understanding the zkLend Hack & Its Impact
zkLend’s Blockchain Communication with Hacker
Hackers are out there romanticizing weaknesses while everyone else is busy enjoying Valentine’s Week! 💘💻😂
Ah, February 12—right when the world was busy buying roses and chocolates, some hackers were busy romancing a rounding error in zkLend’s smart contract.
Yes, this attacker was busy selling $9.5 million from zkLend while we were out here attempting to dodge expensive dinner reservations. What’s the worst? A straightforward precision loss flaw safe_decimal_math::div() was the source of the exploit. Imagine a small error having far-reaching effects.
🔍 How the Attack Happened
The value of the lending_accumulator was intentionally inflated by the attacker.
Although they only deposited a modest sum of wstETH, they received far more than they had deposited because of flawed rounding logic.
They multiplied their balance dramatically while repeating this cycle in a loop until the procedure was exhausted.
After a successful heist, why not employ a privacy tool? The money was transferred to Ethereum and laundered through Railgun.
After recognizing the mess, zkLend kindly requested their 3,300 ETH back and offered a 10% whitehat bounty. (As though hackers follow a code of honor.)
Visit Shashank’s blog for a more thorough analysis. He demonstrates the attack in-depth and does a fantastic job of it.
Lessons Learned & My Takeaways
This vulnerability served as an alarming signal that even minor mathematical mistakes can have far-reaching effects on blockchain security. Imagine the impact of more serious logical errors if a straightforward rounding error can result in a full-scale breach.
- Accuracy is crucial not only in Cairo but also in Solidity, Rust, and other blockchain languages, integer division truncation can be fatal in financial reasoning.
Even seasoned engineers make mistakes, thus as auditors, it its our responsibility to identify them before attackers do.
Security is an ongoing activity.
More security researchers are needed by Starknet—Although Solidity has many professionals, Cairo security is still a specialized area. This is the ideal moment to take charge.
How I Plan To Contribute to Starknet Security
The strength of the community protecting decentralized systems determines their level of security. I want to make a significant contribution to the ecosystem, not just learn about Cairo for myself.
Auditing & Securing Starknet Smart Contracts
The zkLend breach demonstrated how urgently Starknet needs more qualified auditors. After I’ve mastered Cairo, I intended to:
Before being exploited, identify and fix important vulnerabilities.
Conduct thorough checks of Starknet protocols to guarantee complete security.
Teach developers about real-world attack vectors and secure coding techniques (because sharing information is half the fight).
Educating & Growing the Starknet Security Community
There are now a fairly small number of auditors with expertise in Starknet. By being skilled in Cairo, I hope to:
Assist in integrating new users into the Starknet security environment.
Help Soldity auditors who want to switch to auditing in Cairo.
To stop future hackers, share case studies of actual exploits.
The Cairo Smart Contract Hacking Scholarship - A Game Changer Opportunity
The Cairo Smart Contract Hacking Scholarship by Real Jonny Time and Starknet is an incredible opportunity to gain hands-on experience and contribute to the Web3 security landscape.
With my background in Smart Contract auditing and Security, I’m confident that this scholarship will help me:
Expand my knowledge of Starknet and Cairo security.
Use what I’ve learned to create safe, practical Starknet applications.
Participate in the community and assist additional developers in creating safe contracts for Cairo.
To advance my knowledge of blockchain security, I’m eager to enroll in this program and am looking forward to the road ahead!
Let’s Connect!
Let’s talk if you share my enthusiasm for Web3 security! I would love to work with you on security research in general, smart contract auditing, or Cairo. Additionally, see my earlier blog post on My Journey with Web3 Security.