Web3 systems carry unique execution and financial risks. When code is immutable and on-chain, a single overlooked vulnerability can cascade into large-scale fund loss, protocol insolvency, or systemic failure.
Bug bounty programs mitigate that risk by extending security beyond the audit. They engage independent researchers to uncover vulnerabilities under real-world conditions, providing continuous testing after code goes live. At Cantina, we’ve built a platform that streamlines this process, making it easier for top teams to define scope, set incentives, and attract the right researchers.
But why do the industry’s most security-conscious teams choose to run their bounties on Cantina? Let’s break it down.
How Cantina Makes Bug Bounties Work
Cantina’s approach to bounties is designed for high-signal output.
- Expert research network: 9,000+ vetted researchers specializing in smart contracts, EVM/Non-EVM environments, ZK, infrastructure, and app-layer security.
- Structured triage: Cantina combines expert reviewers with AI-based filtering to remove spam, noise, and duplicate reports.
- Custom scopes and payouts: Every bounty is tailored to protocol design and security surface, with escalation paths and coverage options built in.
- Coverage integration: Projects that complete an audit, competition, and bounty can qualify for up to $300,000 in coverage through Cantina.
The result is a feedback loop that scales with complexity and stays relevant as code and attack surfaces evolve.
Uniswap
Uniswap runs the largest bug bounty program in Web3.
The bounty is built to match the scale of its architecture and deployed value. Uniswap’s protocol stack spans immutable smart contracts, a new v4 engine with hook support, and deployments across chains including Ethereum mainnet and Unichain. The bounty scope includes core contracts, the web interface, wallets, and infrastructure components.
Running a bug bounty at this scale is critical for two reasons:
- Post-launch risk coverage: Uniswap’s contracts are immutable and non-upgradable. Once deployed, bugs can’t be patched directly.
- Ecosystem surface area: Uniswap v4 supports third-party extensions through hooks, increasing the likelihood of integration errors or attack paths introduced by external contracts.
The reward structure accounts for impact and exploit likelihood. This ensures the incentives match the risk exposure.
Coinbase
Coinbase launched a $5 million bounty on Cantina to secure its onchain products and smart contracts across Base. The scope includes all production mainnet deployments tied to Coinbase infrastructure.
The program reflects Coinbase’s approach to security: structured reviews, clear documentation, and operational discipline. Findings are evaluated for clarity, severity, and reproducibility. Reward tiers match technical impact.
This launch builds on prior engagements between Coinbase and Cantina, including audits of modules like Fault Proofs, Verified Pools, Nitro Validator, SpendPermissionManager, and ERC-6492 logic. The structure of those reviews shaped how this public bounty operates today.
The program runs entirely on Cantina’s platform. Researchers can submit findings with full scope visibility, consistent triage, and access to key references.
Morpho
Morpho’s bounty secures a lending layer that routes user funds through vaults and adapters to lending protocols like Aave and Compound. It spans multiple architecture versions (V0, V1, V2), a rewards system, oracle infrastructure, DAO governance contracts, and custom bundler logic.
The modular design introduces several areas where security assumptions depend on integration, rather than isolated contract logic.
Morpho’s bug bounty is essential for catching risks tied to:
- Vault misconfiguration or adapter errors
- Reward emission logic and misallocation
- DAO admin and role-based access
- External protocol behavior via integrations
The bounty scope is extensive and regularly updated to include deployments across Ethereum, Base, OP Mainnet, Arbitrum, and other supported chains.
Euler
Euler’s bounty program secures a modular lending system with composable vaults, capital routing layers, and a custom oracle and AMM stack.
This includes:
- Vault Kit for permissionless lending vaults
- Ethereum Vault Connector as a collateral and routing layer
- EulerSwap, a just-in-time liquidity AMM
- Reward Streams and Fee Flow systems
- Euler Earn, built on top of ERC4626 strategies
Euler’s protocol logic is complex, and its modularity introduces a wide attack surface. The bounty structure is designed to separate findings by component, with differentiated payout paths for core logic, interfaces, or supporting contracts.
It also includes a boosted payout tier for vulnerabilities impacting the Usual Stability Loan vaults, bringing total potential rewards to $7.5M.
The bounty is essential for stress-testing vault behavior, collateral interactions, price feeds, and governance pathways, especially under real-world usage and integrations.
Kinetiq
Kinetiq operates a liquid staking system on Hyperliquid, issuing a yield-bearing token (kHYPE) backed by staked HYPE.
All staked assets are delegated through StakeHub, an autonomous validator selection mechanism designed to optimize for performance and decentralization. The protocol stack includes logic for staking, accounting, validator registry management, oracles, and liquidity flows through kHYPE.
The bug bounty is focused on identifying vulnerabilities that could compromise delegation accuracy, oracle reliability, or kHYPE’s 1:1 representation of staked HYPE.
This is the first major bounty on Hyperliquid. It’s critical for ensuring the security of the staking pipeline, especially given Kinetiq’s role in helping bootstrap liquid staking on a high-throughput, L2-native chain.
Outstanding CTFs: Real-World Security at Scale
Cantina’s bounty platform supports more than disclosures. It powers live, onchain Capture the Flag (CTF) events. These are production environments where researchers test real exploits under live conditions.
EulerSwap CTF
EulerSwap introduces composable liquidity with lending-native yield mechanics. Starting June 2, new USDC and USDT swap contracts were deployed to Ethereum mainnet with $500,000 in real liquidity. This is not a simulation.
Researchers are challenged to extract funds within a defined scope. All activity must go through Cantina with completed KYC. Exploits submitted outside the platform are disqualified and pursued.
Scope: Assets held by the Swap Account when executed through a verified EulerSwap Operator contract
Objective: Prove exploitability in a live setting
Why it matters: Euler completed six audits prior to launch. This CTF provides a transparent, high-stakes validation layer that simulates actual market conditions
Makina CTF
Makina is a protocol for onchain strategy execution with a novel hub-and-spoke architecture. The CTF ran from September 18 to October 16 and awarded up to $100,000 in ETH.
This event exposed the full lifecycle of Makina’s contracts, including deposits, migrations, yield harvesting, and bridging logic across chains. Strategies were actively managed during the event to provide continuous testing opportunities.
Scope: Core contracts, Caliber execution engines, bridge adapters, governance flows, and Operator behaviors
Objective: Identify vulnerabilities that lead to loss of funds or denial of service from any role or function
Why it matters: Makina’s architecture enables trustless cross-chain strategy management. The CTF validates these mechanisms under live operational pressure
Aave on Aptos CTF
Aave’s deployment on Aptos is its first move beyond EVM compatibility. Four assets were deployed to Aptos mainnet with a total of $100,000 in liquidity and opened to direct testing.
The contracts may be upgraded during the CTF, mirroring how real deployments evolve. Researchers are challenged to find vulnerabilities in a high-speed Layer 1 environment, with a focus on how architecture translates across domains.
Scope: Four active markets deployed to Aptos mainnet
Objective: Extract funds within scope under defined rules
Why it matters: This is Aave’s first step into non-EVM territory. The CTF tests real security assumptions under Aptos-specific conditions
Why These Bounties Work on Cantina
These programs succeed because they are built for signal. Scope is tightly defined. Payouts are calibrated to real risk. Triage is continuous. Cantina handles submission, review, and spam filtering so researchers and clients can focus on what matters.
Bug bounties and live CTFs are essential tools for security validation in production. Cantina gives protocols access to the top research network in Web3 with the infrastructure to scale it.
Build fast. Ship secure.
Security needs to keep up with code. Cantina gives teams direct access to top researchers, clear triage, and high-signal reporting, without slowing anything down.
If your project is live or close to launch, you can run a bounty with the same discipline and coverage as the best in the industry.