Bypassing Attestation Logic in Cairo: A Starknet Security Case Study

🔍 The Problem Statement In this post, I disclose a logic vulnerability found in a Starknet staking protocol (specifically Attestation.cairo). The issue allows an attacker to extract STRK rewards without providing the mandatory BTC collateral. 🛠 The Technical Deep Dive: get_block_hash_syscall The vulnerability stems from the improper handling of block hashes for off-chain verification. Rust // Simplified vulnerable snippet let block_hash = get_block_hash_syscall(target_block_number).unwrap(); assert(provided_proof.anchor == block_hash, 'Invalid proof anchor'); The flaw is that the contract relies on a syscall to verify external data without a cryptographic link that prevents replaying or spoofing the block reference in a specific context. By manipulating the target_block_number or providing a stale but valid hash, an attacker can satisfy the assert condition. 🛡 Why it matters Reward Extraction: Attackers can claim incentives meant for real stakers. Economic Imbalance: Dilutes the value