Simplify Security with Cantina Code

Cantina Code is our code review platform designed to make your security review experience efficient. It’s the platform of choice for security-conscious teams.

Get Started
Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Audit contributor profile overview with activity indicators and stats.
Interactive preview button frame for security interface actions.Empty security review results graphic.
'Fix issue #30': Enable mode would not install any module types but validators or multitypes with validator included.
Also includes fixes to issues #37, #38, #42 from PR #111.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.

Findings Dashboard

Take a comprehensive bird’s eye view of all findings, comments, and much more in a live continuous windowpane view.

Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.New finding button for redirecting to security audit.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Security vulnerability showing Enable Mode Signature replay risk in smart contract validation system, with high severity, impact, and likelihood, now fixed.
Code Assistant Cantina Tardigrade mascot - cheerful circular character with orange beanie.

Cantina Assistant

Deploy our AI assistant on your code, allowing researchers access to all the information they need to get started - and in turn, reducing the bandwidth required from your team.

Cantina Tardigrade floating while waving, looking happy and energetic in motion.
Web3 security assessment status indicator background.

Reputation Score

Quickly assess researcher submissions with a reputation score that reflects their proven track record, making it easier to manage findings and ignore spam, especially during bug bounties.

Pings

Pings reduce the opportunity for spam by limiting the number of @project tags a researcher has during an engagement based on their reputation level.

Interactive preview button frame for security interface actions.Empty security review results graphic.
@project another concern related to supplyBalance.

Do we want the market value to exceed the cap? Assume a market is set at cap 10M and the vault owns 15M liquidity of the market. Do we want the value of the market to be capped at 10M? To reflect the full amount of the liquidity is more intuitive but riskier.

Assuming the vault wants to allocate 10% liquidity to a riskier market (e.g. DAI-Doge), in the event that Doge's price crashes, the Vault could potentially lose more than 10% of its liquidity.

Moreover, considering the morpho-blue protocol's removal of bad-debt socialization, we should discuss how the vault manager should handle situations in which a market have bad-debt but keep pumping vault's value
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Paste, drop, or click to add images
Web3 security assessment status indicator background.

Notifications

Get alerts for every crucial piece of information you need to know, straight to your dashboard.

Filter

Add filters to your search by severity, author, or custom labels to find exactly what you’re looking for.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Status indicator showing a security vulnerability finding has been escalated to higher priority review, requiring urgent assessment by the security team.
Status notification showing a security vulnerability submission has been verified and confirmed by the review team, awaiting remediation action.
Alert notification indicating that a security vulnerability submission has been rejected after review, with status clearly marked as declined.
Alert notification indicating the security vulnerability submission may be a duplicate of an existing finding, pending verification.
Status indicator showing a security vulnerability has been acknowledged by the team, confirming receipt and initial assessment in progress.
Security researcher discovering vulnerabilities during audit process with bug bounty notification and competition scoreboard.

Shortcuts

Common actions deserve corresponding hotkeys to make your life easier.

R

Mark as rejected

Reject invalid submissions with ease

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

C

Mark as confirmed

Confirm valid submissions instantly with a single click

D

Mark as duplicate

Quickly mark a finding as duplicate.

R

Mark as rejected

Reject invalid submissions with ease

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

C

Mark as confirmed

Confirm valid submissions instantly with a single click

D

Mark as duplicate

Quickly mark a finding as duplicate.

R

Mark as rejected

Reject invalid submissions with ease

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

C

Mark as confirmed

Confirm valid submissions instantly with a single click

D

Mark as duplicate

Quickly mark a finding as duplicate.

Create findings

We’ve simplified and systematized the findings submission process, saving time for both researchers and organizations.

Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
Impact (optional)
High
Severity
High
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

1. validator: The module to be installed as any module type that can be defined. It must be     a validator either already before the user op or after enabling it as a validator in enable     mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.
Solidity code block from ModuleManager.sol verifying enable mode signature using module init data and signature hash.
Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
Impact (optional)
High
Severity
High
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

 1. validator: The module to be installed as any      module type that can be defined. It must be      a validator either already before the user op      or after enabling it as a validator in enable      mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.

An Efficient Code Review Platform for Security-Conscious Organizations

Try it for yourself

Get started