.jpg)
This article serves as a case study for how Alchemy partnered with Cantina — a transparent, efficient, and industry-leading security marketplace for protocols incubated by Spearbit — to build a robust security foundation through multiple engagements. Beginning with initial security reviews and continuing through additional assessments, the collaboration culminated in January 2025 with the migration of Alchemy's bug bounty program from HackerOne to Cantina. This strategic evolution has connected Alchemy with blockchain security experts, strengthening their infrastructure while raising standards across the Web3 ecosystem.
Key Stakeholders
Alchemy
Alchemy is the world's leading web3 development platform, providing the infrastructure and developer tools needed to build scalable, reliable rollups and applications. Trusted by the largest companies and developers in web3, Alchemy's platform powers millions of users across multiple chains and delivers unmatched reliability, scalability, and ease of use.
Spearbit
Spearbit is a distributed industry-leading blockchain security services firm pairing protocols with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.
Cantina
Cantina is an efficient security marketplace incubated by Spearbit that provides protocols with access to leading security service providers, high-signal crowdsourced security reviews called competitions, and dynamic price transparency across Web3 security’s top talent pool.
Context and Value Alignment
Alchemy's mission to provide reliable, scalable tools for Web3 developers necessitates an uncompromising approach to security. Alchemy Smart Wallets help developers grow their onchain apps by removing all the pesky barriers to onboarding and activating users.
Powering over 16 million smart wallets and counting, teams like Azuki, Earn'M, and Gensyn have grown to millions of users and transactions with seamless email and social login and gas-free transactions.
The smart wallets are powered by smart contracts (account abstraction), enabling new levels of user experience, security, and flexibility onchain.
Over the span of two years, Alchemy has consistently called on Spearbit to augment their security efforts. Alchemy shares Spearbit's ethos about the need for a multi-faceted approach to security, and regards it as a non-negotiable in their mission to develop robust Web3 solutions.
From the initial engagement in June 2023 through their comprehensive security reviews in July and November 2023 — and now with their bug bounty program migration to Cantina in January 2025 — the collaboration between Spearbit, Cantina, and Alchemy has demonstrated a shared commitment to security excellence. Alchemy's decision to transition their bug bounty program to Cantina reflects their desire for specialized Web3 security expertise and higher quality vulnerability assessments.
This alignment in security philosophy made Spearbit the ideal partner to ensure Alchemy meets the stringent security requirements necessary for supporting the thousands of developers and billions in transaction volume that rely on their platform.
The Approach
Below we have highlighted the approach taken by Alchemy in conjunction with Spearbit and Cantina to meet their desired security goals.
The strongest security strategy is that which diversifies defenses against potential vulnerabilities, at multiple stages throughout the development lifecycle. In the Spearbit review stage, aspects such as smart contracts, architecture and developmental frameworks are scrutinized by expert security researchers, ensuring foundational integrity. Competitions and bug bounties hosted by Cantina then incentivize external security researchers to bring their own unique perspectives to specific areas of the code, tapping into a broader pool of security expertise.
As a result, a new way to do wallets onchain has been successfully secured by Cantina:
Spearbit and Cantina's Experience with Alchemy
Working with Alchemy has demonstrated what's possible when a leading Web3 infrastructure project takes a proactive, specialized approach to security. The Alchemy team has shown exceptional commitment to:
- Maintaining clear and detailed program documentation
- Engaging constructively with security researchers
- Responding promptly to reported issues
- Implementing comprehensive fixes that address root causes
- Contributing to the overall improvement of Web3 security standards
Christos-eth, one of the researchers on Cantina’s team, shared his thoughts on the experience:
“Working with Alchemy was an incredible experience. The team’s dedication to security was truly impressive. Alchemy’s engineers had a deep understanding of Modular Accounts and ERC-4337, and they were always available to address our questions and provide valuable insights. ERC-6900 — the modular account standard — is such a cool innovation, pushing the Ethereum community closer to Account Abstraction.”
Alchemy's Experience with Spearbit and Cantina
The Alchemy team has seen measurable improvements in their security program since partnering with Spearbit and Cantina. Here's what their security team has to say about the collaboration:
Conclusion
Alchemy's successful transition of their bug bounty to Cantina's specialized Web3 security ecosystem represents just one component of a comprehensive, multi-year security . From the initial engagements with Spearbit in mid-2023 through multiple security reviews and now the bug bounty migration, this collaboration has delivered tangible benefits: higher quality findings from researchers with deep Web3 expertise, dramatically improved signal-to-noise ratio, and faster vulnerability resolution times — all identifying and remediating critical issues that might have otherwise gone undetected.
Beyond the technical results, this strategic collaboration has enabled Alchemy's security team to focus on meaningful improvements while fostering relationships with top Web3 security talent. By implementing this multi-faceted security approach spanning code reviews, security audits, and specialized bug bounties, Alchemy has not only strengthened their own infrastructure but has also helped raise the standard for security practices across the entire Web3 ecosystem.
Secure Your Protocol Today
Cantina and Spearbit offer comprehensive end-to-end security solutions for Web3 projects of all sizes. Looking to enhance your security program? We can provide a customized quote within 24 hours tailored to your project's specific needs. Request a quote here.