How it worksCompetitionsReviewsGuildsBountiesBlog
Sign in

Bug Bounties
Made Simple.

Cantina Bounties enables protocols to protect code in production by leveraging the best network of security researchers and the Cantina Code platform.

Enroll in Cantina Bounties
Hero Image

See documentation →

How it works

Best Talent

Access the best talent Web3 has to offer including direct access to thousands of researchers from industry-leading firms such as Spearbit.

Efficient Process

Cantina Code was built around bettering the client experience. Simply put — less spam, higher signal findings, and less overhead for you and your team.

Highest Signal

Through quality-gating mechanisms and LLM-based de-duplication, we reduce low-effort and spam submissions from overloading protocols.

Bounty cover

Pendle Finance / Pendle Bounty

Live

Pendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.

Further resources regarding the Pendle can be found at pendle.finance

The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.

Contracts in Scope

Network: Mainnet Ethereum

Target URLType
Explorer Linkrouter
Explorer LinkActionAddRemoveLiqV3
Explorer LinkActionSwapPTV3
Explorer LinkActionSwapYTV3
Explorer LinkActionMiscV3
Explorer LinkActionCallbackV3
Explorer LinkActionStorageV4
Explorer LinkpendleSwap
Explorer LinkptAndLpOracle
Explorer LinkyieldContractFactoryV3
Explorer LinkmarketFactoryV3
Explorer LinklimitRouter
Explorer LinkvePendle
Explorer LinksenderEndpoint
Explorer LinkvotingController
Explorer LinkgaugeController
Explorer LinkfeeDistributorV2

Network: Arbitrum

Target URLType
Explorer Linkrouter
Explorer LinkActionAddRemoveLiqV3
Explorer LinkActionSwapPTV3
Explorer LinkActionSwapYTV3
Explorer LinkActionMiscV3
Explorer LinkActionCallbackV3
Explorer LinkActionStorageV4
Explorer LinkpendleSwap
Explorer LinkptAndLpOracle
Explorer LinkyieldContractFactoryV3
Explorer LinkmarketFactoryV3
Explorer LinklimitRouter
Explorer LinkreceiverEndpoint
Explorer LinkvePendle
Explorer LinkgaugeController
Explorer LinkarbMerkleDistribution

Network: Optimism

Target URLType
Explorer Linkrouter
Explorer LinkActionAddRemoveLiqV3
Explorer LinkActionSwapPTV3
Explorer LinkActionSwapYTV3
Explorer LinkActionMiscV3
Explorer LinkActionCallbackV3
Explorer LinkActionStorageV4
Explorer LinkpendleSwap
Explorer LinkptAndLpOracle
Explorer LinkyieldContractFactoryV3
Explorer LinkmarketFactoryV3
Explorer LinklimitRouter
Explorer LinkreceiverEndpoint
Explorer LinkvePendle
Explorer LinkgaugeController

Network: Binance Smart Chain

Target URLType
Explorer Linkrouter
Explorer LinkActionAddRemoveLiqV3
Explorer LinkActionSwapPTV3
Explorer LinkActionSwapYTV3
Explorer LinkActionMiscV3
Explorer LinkActionCallbackV3
Explorer LinkActionStorageV4
Explorer LinkpendleSwap
Explorer LinkptAndLpOracle
Explorer LinkyieldContractFactoryV3
Explorer LinkmarketFactoryV3
Explorer LinklimitRouter
Explorer LinkreceiverEndpoint
Explorer LinkvePendle
Explorer LinkgaugeController

Network: Mantle

Target URLType
Explorer Linkrouter
Explorer LinkActionAddRemoveLiqV3
Explorer LinkActionSwapPTV3
Explorer LinkActionSwapYTV3
Explorer LinkActionMiscV3
Explorer LinkActionCallbackV3
Explorer LinkActionStorageV4
Explorer LinkpendleSwap
Explorer LinkptAndLpOracle
Explorer LinkyieldContractFactoryV3
Explorer LinkmarketFactoryV3
Explorer LinklimitRouter
Explorer LinkreceiverEndpoint
Explorer LinkvePendle
Explorer LinkgaugeController

Additional scope:

All StandardizedYieldToken, PendlePrincipalToken, PendleYieldToken, PendleYieldTokenV2, and PendleMarket contracts of assets listed under the links below are in scope. Note that each asset will have a different SY but the same PT, YT, and Market.

Award Levels

Rewards are capped at 10% of economic impact.

  • Very Critical: Up to $2,000,000 USD, minimum payout $200,000 USD
  • Critical: Up to $1,000,000 USD, minimum payout $100,000 USD
  • High: Up to $100,000 USD, minimum payout $20,000 USD
  • Medium: Up to $20,000 USD
  • Below Medium: To be awarded at the discretion of Pendle Finance

Severity Definitions

For manipulation that can steal/freeze users' funds (excluding unclaimed yield)

Likelihood/Impact>10% TVL1-10% TVL< 1% TVL
HighVery CriticalCriticalHigh or Critical
MediumCriticalHigh or CriticalHigh
LowHigh or CriticalHighMedium

For other manipulation

The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.

Likelihood/ImpactSignificantModerateMinimal
HighHigh or CriticalHighMedium
MediumHighMediumBelow Medium
LowMediumBelow MediumBelow Medium

Out of Scope (all repositories)

If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.

The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.

Known Public Issues

Known issues from previous security reviews are considered out of scope.

Known but not Public Issues

Are considered out of scope.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.

$2,000,000 USDC

Starts on 14 Jun 2024

View Bounty
Bounty cover

Morpho / Morpho

Live

Morpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.

Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.

Visit the docs for a complete project overview.

https://morpho.org/

Smart Contracts in Scope

Morpho Blue

Morpho Blue

Name (address link)Repo
Morpho Bluegithub.com/morpho-org/morpho-blue
Adaptive Curve Irmgithub.com/morpho-org/morpho-blue-irm
Morpho Chainlink Oracle V2 Factorygithub.com/morpho-org/morpho-blue-oracles

MetaMorpho

Name (address link)Repo
MetaMorpho Factorygithub.com/morpho-org/metamorpho
Public Allocatorgithub.com/morpho-org/public-allocator

Rewards

Name (address link)Repo
Market Rewards Program Registrygithub.com/morpho-org/morpho-blue-rewards-emissions
Rewards Emission Data Providergithub.com/morpho-org/morpho-blue-rewards-emissions
Universal Rewards Distributor Factorygithub.com/morpho-org/universal-rewards-distributor

Bundlers

Name (address link)Repo
EthereumBundlermorpho-org/morpho-blue-bundlers
AaveV2MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3OptimizerMigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV2MigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV3MigrationBundlermorpho-org/morpho-blue-bundlers

Morpho Optimizers

Name (address link)Repo
Morpho Proxy (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho (Compound)github.com/morpho-org/morpho-v1-deprecated
PositionsManager (Compound)github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (Compound)github.com/morpho-org/morpho-v1-deprecated
RewardsManager Proxy (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV2)github.com/morpho-org/morpho-v1-deprecated
RewardsManager (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho (AaveV2)github.com/morpho-org/morpho-v1-deprecated
EntryPositionsManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
ExitPositionsManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
Morpho (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
PositionsManager (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vault Proxygithub.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vaultgithub.com/morpho-org/morpho-aavev3-optimizer
Morpho Admin (DAO)
Delay Modifier (DAO)
Role Modifier (DAO)
Morpho Token (DAO)
Operator (DAO)

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$555,555.00$100,000.00
Likelihood:medium$100,000.00-

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope.

Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol. For example, the ability to deploy permissionless pools.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
  • Someone can repay on behalf of Morpho.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.
  • Some contracts are not set yet (eg: IncentivesVault).
  • Manipulation of the matching engine. Here are some examples:
    • Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
    • Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.

All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.

$555,555 USDC

Starts on 27 Mar 2024

View Bounty
Bounty cover

Chronicle Labs / Chronicle Labs Bounty

Live

Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.

Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.

chroniclelabs.org

Smart Contracts in Scope

Scribe

chronicleprotocol/scribe/tree/v2

In scope:

  • everything in src/
  • special focus for us:
    • Unauthorized auth access
    • Unauthorized addition or removal of validator/feed
    • Being able to report a malicious price update
    • Constructing a non-challengeable, invalid opPoke
    • No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$50,000.00$30,000.00
Likelihood:medium$30,000.00$10,000.00

Out of Scope (all repositories)

Known Issues

Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.

  • Find previous security reviews here
  • Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.

$50,000 USDC

Starts on 1 May 2024

View Bounty
Bounty cover

Huma Finance / Huma Bounty

Live

On-chain credit platform where high-performing receivables meet with global capital.

Visit the docs for a complete project overview.

huma.finance

Smart Contracts in Scope

huma-contracts-v2

Name (address link)Repo
huma-contracts-v2https://github.com/00labs/huma-contracts-v2/tree/main

Excluding mocks, tests, scripts, etc. Valid issues must satisfy one of the severity definitions below.

Deployed Contracts Celo

NameCelo Address
Calendar0x129686C98916c7fFF9cf9110127402D070183610
HumaConfig0x9345cc5617F906C62bE1608680B9C0FC3e7707B0
HumaConfigTimelock0x14B067bac6039429A11baf564db90eDBcc4E27F3
PoolConfigImpl0x7b6b28434c74E6DB5ba5c9a71eA6ff7A6D5071A5
PoolFeeManagerImpl0x3D143343FC4bF823365A38Fb76A89754C5C22f77
PoolSafeImpl0xd2FFCC9f6797ce2D7B503DC3287c4cc4D7fde77F
FirstLossCoverImpl0x0D9b3ecd2B890651EF7dF65650b419a202D38FF4
RiskAdjustedTranchesPolicyImpl0xe780653d7c03A5199B3c13b8c663fcE2CDd72562
FixedSeniorYieldTranchesPolicyImpl0x86c3a14EE6f0B9BFeE1439a9b6eA191B565a3A0F
PoolImpl0xa6C59ce6c1E1A519EcE7ad0Eeead31D485C7C8A9
EpochManagerImpl0x5aF84f6c8c6738417e6081677f186839294b5eEc
TrancheVaultImpl0xf26A071833032Ce57769fdf530E81A28f15671df
CreditLineImpl0x73c16Db24951135BC8A628185BdbfA79115793E5
ReceivableBackedCreditLineImpl0xE265E07F9d18Df940A75CfFfEA51211F4f0C46cC
ReceivableFactoringCreditImpl0x2DF0091067B29Cbac6bD8C2cE15334dEFEE9738C
CreditDueManagerImpl0xe1Bd10Bba7DF72527dB2F6955d8A731844C8bf84
CreditLineManagerImpl0xC98dEAA52Ba4848079aA0A4e48BEA6f0AcdC542c
ReceivableBackedCreditLineManagerImpl0xAD3FB6bB897f85125436a63a5b8c3Dfb5928Fa4e
ReceivableFactoringCreditManagerImpl0x7EF17831D7153b085ccDEFc02373234Baec16243
ReceivableImpl0x8920C27a3D76daA004f373f78fa1Ed01B4940FbA
LibTimelockController0x41B1Dd4c2bbcff308Ef95210532B97DF87D8c053
PoolFactoryImpl0x2DA34B43089F20c87770674fb7d8Fa5b5384534b
PoolFactory0x85c8dC49B8DaA709e65dd2182e500E8AC3CaA6C7

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$50,000.00$25,000.00
Likelihood:medium$25,000.00$10,000.00

Issues in Scope

Critical

Complete, or near complete, loss of all funds in the protocol.

High

Meaningful, but limited, loss of funds. Examples include a single pool vulnerable to complete loss of funds, or partial loss of TVL across the protocol such as 15% loss, etc.

Medium

Privilege escalation and circumventing access controls not leading to loss of funds in a way that qualifies as a higher severity.

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope. (Spearbit-Security-Review)

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors. (E.g. yield calculation precision not leading to meaningful loss of funds.)
  • Relatively high gas consumption.
  • Centralization or admin risks.

All other issues acknowledged in the audits in the Spearbit-Security-Review

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor who currently works, or previously worked, with Huma Finance cannot participate in the Bug Bounty without prior approval. Examples include Huma contributors, security researchers who worked on Huma Finance code reviews, etc.

$50,000 USDC

Starts on 30 May 2024

View Bounty

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.

Services

CompetitionsReviewsBountiesGuilds

© 2024 Cantina. All rights reserved.