This article serves as a case study as to how Euler partnered with Cantina - a transparent, efficient, and industry-leading security marketplace for protocols incubated by Spearbit to secure their lending protocol at multiple stages throughout their development lifecycle.
Key Stakeholders
Below are the key stakeholders involved in the engagement.
Euler
Euler is a modular lending platform designed to enhance capital efficiency and flexibility in DeFi. With Euler, users can permissionlessly establish lending markets tailored to their unique needs and preferences. Features like multi-collateral capabilities, aggregated vaults, and oracle freedom enhance user flexibility and streamline risk management.
Spearbit
Spearbit is a distributed industry-leading blockchain security services firm pairing protocols with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.
Cantina
Cantina is an efficient security marketplace incubated by Spearbit that provides protocols with access to leading security service providers, high-signal crowdsourced security reviews called competitions, and dynamic price transparency across Web3 security’s top talent pool.
Context and Value Alignment
Euler is fast becoming known as one of the most security-conscious protocols in the industry, opting to undertake numerous internal and external measures to strengthen their security posture. This striving for top-tier security standards is evident in the extent of the measures taken, including but not limited to vCISO consultations, security reviews, formal verification, unit testing, fuzzing, peer reviews, competitions, and bounties. With such a security-first mindset, Euler is not just an ideal client for the tailored security solutions provided by Spearbit and Cantina, but is also setting exemplary standards for Web3 protocols as a whole.
Since April of this year, the collaboration between Spearbit, Cantina, and Euler has culminated in 6 engagements, demonstrating their preference for our expertise and services.
The Approach
Below we have highlighted the approach taken by Euler in conjunction with Spearbit and Cantina to meet their desired security goals.
Euler’s approach since its inception was to create a modular design to improve the security and risk management of the protocol. With modularity, they believe it can lead to more secure software that isolates risk, is easier to test, analyze, and audit, and reduces single points of failure. Three of their key modules in Euler v2 were built in this manner:
- Ethereum Vault Connector (EVC)
- Euler Vault Kit (EVK)
- Euler Price Oracle (EPO)
When working with Spearbit, these particular modules were the focus of the vCISO consultations and security reviews. The competition and bug bounty hosted by Cantina then aim to incentivize external security researchers to bring their own unique perspectives to Euler’s v2 codebase in its entirety. Together, these measures allowed the Euler team to have confidence in both the security of the modules on their own, and how they functioned as a whole.
The Assessments
There were vCISO engagements and three security reviews, one for each core module, conducted by Spearbit for Euler. These were conducted by the following security researchers:
Over the course of these three reviews, the researchers identified a total of 153 issues. A breakdown of their risk classification is below:
- High risk: 2
- Medium risk: 9
- Low risk: 28
- Gas optimizations: 8
- Informational: 106
You can view the report for each module’s review:- EVC Report - EVK Report - EPO Report
After the Spearbit reviews were completed, Euler then proceeded with a code review competition on Cantina . At the time, it was the biggest ever prize pool offered in the industry at \$1.25M, once again demonstrating the team’s commitment to upholding the highest of security standards. As a testament to the meticulousness of their security strategy and the skills of the researchers who had previously conducted the reviews, no highs or mediums were found in this competition even though there were over 600 researchers who participated. In August, alongside the launch of Euler V2, they also introduced a bug bounty on Cantina .
Spearbit and Cantina’s experience with Euler
A core part on the feedback from researchers involved with Euler was their dedication to security, with efforts beginning early in the development lifecycle. Multiple vCISO engagements were undertaken, with the Euler team only proceeding to the next step once the researchers were satisfied with the current design. An example of this was a set of contract that made it easier to build vaults: this was reviewed during the vCISO stage, and only after this was complete did the Euler team begin building their lending protocol around this abstraction.
They were also impressed with the focus placed on analyzing design decisions. The teams worked together to ideate on what would best prevent common lending platform attacks, ensuring a proactive approach to security from the start.
At every stage of the process, whether through vCISO, reviews, the competition or bounty, the Euler team gave each decision the utmost level of thought. They validated the direction they were going in regularly, and took every possible step to ensure their codebase was secure.
Euler’s experience with Spearbit and Cantina
Working with Spearbit has been a truly positive experience. The vCISO hours provided were particularly invaluable, offering a level of insight that significantly strengthened v2 development. Cmichel’s focus on addressing the broader, more strategic elements of security, alongside Stermi’s meticulous attention to detail—ensuring the code was not only secure but also clean, well-documented, and audit-ready—were highlights of the vCISO engagement. Their combined efforts set a solid foundation for the subsequent security reviews and ensured we were prepared for deeper audits.
Their responsiveness and depth of understanding in dissecting the codebase stood out from the start. They integrated seamlessly with our team, approaching each issue with care and thoroughness. This strong partnership, focused on finding the best solution, exemplified their dedication to addressing complex security risks.
The team considered potential future risks and helped ensure the protocol remained robust. The entire process demonstrated their ability to balance deep technical expertise with a broader understanding of real-world attack scenarios.
Conclusion
The collaboration between Euler, Spearbit, and Cantina has demonstrated the power of a thorough, multi-stage security approach. By engaging early through vCISO consultations, following up with security reviews, competitions, and a bug bounty, Euler ensured that its lending protocol was scrutinized from every angle by top-tier researchers.
This proactive and layered methodology has enabled Euler to build a highly secure system while also fostering an environment where security researchers are encouraged to contribute innovative and diverse perspectives. Ultimately, this strategy has set a new standard for protocol security, one which ensures the highest level of trust and safety for users.
Secure your protocol today
Spearbit and Cantina are your go-tos for comprehensive end-to-end security. Looking to secure your protocol? Let’s talk. We can have a full quote turned around for you within 24 hours, catered exactly to your project’s needs. Request a quote here .