Bug Bounties
Made Simple.
Made Simple.
Cantina Bounties enables protocols to protect code in production by leveraging the best network of security researchers and the Cantina Code platform.
How it works
Best Talent
Access the best talent Web3 has to offer including direct access to thousands of researchers from industry-leading firms such as Spearbit.
Efficient Process
Cantina Code was built around bettering the client experience. Simply put — less spam, higher signal findings, and less overhead for you and your team.
Highest Signal
Through quality-gating mechanisms and LLM-based de-duplication, we reduce low-effort and spam submissions from overloading protocols.
Streamlined Submission and Evaluation Process
Cantina Code provides researchers with a comprehensive code review interface to easily submit findings and the swiftest time-to-reward across the industry.
Better Communication with Clients
No more forms. No more Discord. No more Github. Handle all communication simply and swiftly with protocol teams — all in Cantina Code.
Highest Quality Bounties
We believe in combining the best talent with the best reward structures to provide industry-leading bug bounties for industry-leading protocols.
Morpho
LiveWhat is Morpho
Morpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.
Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.
Visit the docs for a complete project overview.
Smart Contracts in Scope
Morpho Blue
Morpho Blue
| Name (address link) | Repo |
|---|---|
| Morpho Blue | github.com/morpho-org/morpho-blue |
| Adaptive Curve Irm | github.com/morpho-org/morpho-blue-irm |
| Morpho Chainlink Oracle V2 Factory | github.com/morpho-org/morpho-blue-oracles |
MetaMorpho
| Name (address link) | Repo |
|---|---|
| MetaMorpho Factory | github.com/morpho-org/metamorpho |
| Public Allocator | github.com/morpho-org/public-allocator |
Rewards
Bundlers
Morpho Optimizers
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $555,555.00 | $100,000.00 |
| Likelihood:medium | $100,000.00 | - |
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope.
- morpho-org/morpho-blue/tree/main/audits
- morpho-org/metamorpho/tree/main/audits
- morpho-org/morpho-blue-bundlers/tree/main/audits
- morpho-optimizers/security/audits
Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.
$555,555 USDC
Starts on 27 Mar 2024
Chronicle Labs Bounty
LiveWhat is Chronicle Labs
Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.
Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.
Smart Contracts in Scope
Scribe
chronicleprotocol/scribe/tree/v2
In scope:
- everything in
src/ - special focus for us:
- Unauthorized auth access
- Unauthorized addition or removal of validator/feed
- Being able to report a malicious price update
- Constructing a non-challengeable, invalid opPoke
- No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $50,000.00 | $30,000.00 |
| Likelihood:medium | $30,000.00 | $10,000.00 |
Out of Scope (all repositories)
Known Issues
Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.
- Find previous security reviews here
- Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.
$50,000 USDC
Starts on 1 May 2024