Simplify Security with Cantina Code

Cantina Code is our code review platform designed to make your security review experience efficient. It’s the platform of choice for security-conscious teams.

Get Started
Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Notification alert indicating a new security finding has been submitted for review.
Audit contributor profile overview with activity indicators and stats.
Audit interface update indicating recent team activity and new finding submission.
Interactive preview button frame for security interface actions.Empty security review results graphic.
'Fix issue #30': Enable mode would not install any module types but validators or multitypes with validator included.
Also includes fixes to issues #37, #38, #42 from PR #111.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Public label and globe icon representing project or report visibility setting.Web3 Security audits comment icon.
Web3 security assessment status indicator background.

Findings Dashboard

Take a comprehensive bird’s eye view of all findings, comments, and much more in a live continuous windowpane view.

Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.New finding button for redirecting to security audit.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Security vulnerability showing Enable Mode Signature replay risk in smart contract validation system, with high severity.
Code Assistant Cantina Tardigrade mascot - cheerful circular character with orange beanie.

Cantina Assistant

Deploy our AI assistant on your code, allowing researchers access to all the information they need to get started - and in turn, reducing the bandwidth required from your team.

Cantina Tardigrade floating while waving, looking happy and energetic in motion.
Web3 security assessment status indicator background.

Reputation Score

Quickly assess researcher submissions with a reputation score that reflects their proven track record, making it easier to manage findings and ignore spam, especially during bug bounties.

Pings

Pings reduce the opportunity for spam by limiting the number of @project tags a researcher has during an engagement based on their reputation level.

Interactive preview button frame for security interface actions.Empty security review results graphic.
@project another concern related to supplyBalance.

Do we want the market value to exceed the cap? Assume a market is set at cap 10M and the vault owns 15M liquidity of the market. Do we want the value of the market to be capped at 10M? To reflect the full amount of the liquidity is more intuitive but riskier.

Assuming the vault wants to allocate 10% liquidity to a riskier market (e.g. DAI-Doge), in the event that Doge's price crashes, the Vault could potentially lose more than 10% of its liquidity.

Moreover, considering the morpho-blue protocol's removal of bad-debt socialization, we should discuss how the vault manager should handle situations in which a market have bad-debt but keep pumping vault's value
UI card displaying project context and remaining pings to notify contributors during review.Dropdown menu displaying user handle and project tag for selection in a Web3 audit interface.User interface dropdown with username and project filter for audit-related views.Interactive dropdown element showing user profile and project label options.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Paste, drop, or click to add images
Public label and globe icon representing project or report visibility setting.Web3 Security audits comment icon.
Web3 security assessment status indicator background.

Notifications

Get alerts for every crucial piece of information you need to know, straight to your dashboard.

Streamlined alert card displaying a new issue logged during a smart contract audit.
Compact notification showing recent finding submitted in a Web3 security audit dashboard.
Minimalist UI notification for a newly reported blockchain vulnerability in audit view.
Web3 audit platform notification showing a newly submitted smart contract security finding.
Interface alert for a new vulnerability report added to a blockchain audit workspace.
Notification card displaying a recent security finding submitted in a Web3 audit platform interface.

Filter

Add filters to your search by severity, author, or custom labels to find exactly what you’re looking for.

Non-functional button included as part of Cantina’s UI visual design system.
Decorative UI button used for layout consistency in Cantina’s web interface.
Generic button used in Cantina’s interface for submitting or navigating Web3 audit actions.UI button element for user interaction within Cantina’s Web3 security platform interface.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Status indicator showing a security vulnerability finding has been escalated to higher priority review, requiring urgent assessment by the security team.
Status notification showing a security vulnerability submission has been verified and confirmed by the review team, awaiting remediation action.
Alert notification indicating that a security vulnerability submission has been rejected after review, with status clearly marked as declined.
Alert notification indicating the security vulnerability submission may be a duplicate of an existing finding, pending verification.
Status indicator showing a security vulnerability has been acknowledged by the team, confirming receipt and initial assessment in progress.
Security researcher discovering vulnerabilities during audit process with bug bounty notification and competition scoreboard.

Shortcuts

Common actions deserve corresponding hotkeys to make your life easier.

D

Mark as duplicate

Quickly mark a finding as duplicate.

R

Mark as rejected

Reject invalid submissions with ease

C

Mark as confirmed

Confirm valid submissions instantly with a single click

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

D

Mark as duplicate

Quickly mark a finding as duplicate.

R

Mark as rejected

Reject invalid submissions with ease

C

Mark as confirmed

Confirm valid submissions instantly with a single click

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

D

Mark as duplicate

Quickly mark a finding as duplicate.

R

Mark as rejected

Reject invalid submissions with ease

C

Mark as confirmed

Confirm valid submissions instantly with a single click

K

Command Bar

Quickly navigate and assess submissions with an intuitive command bar.

Create findings

We’ve simplified and systematized the findings submission process, saving time for both researchers and organizations.

Instructional UI text guiding users to submit a code snippet related to their security finding or audit review.
Screenshot of Solidity smart contract function call from ModuleManager.sol used in Web3 code audit review.
Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
List item marked with check icon.
Impact (optional)
High
List item marked with check icon.
Severity
High
List item marked with check icon.
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

1. validator: The module to be installed as any module type that can be defined. It must be     a validator either already before the user op or after enabling it as a validator in enable     mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.
Instructional UI text guiding users to submit a code snippet related to their security finding or audit review.
Solidity code block from ModuleManager.sol verifying enable mode signature using module init data and signature hash.
Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
List item marked with check icon.
Impact (optional)
High
List item marked with check icon.
Severity
High
List item marked with check icon.
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

 1. validator: The module to be installed as any      module type that can be defined. It must be      a validator either already before the user op      or after enabling it as a validator in enable      mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.

FAQs

What is Cantina Code?

Cantina Code is a dedicated code review platform designed to conduct security reviews efficiently. It enables users to perform code reviews, chat with relevant parties, and submit security findings in an organized and collaborative environment.

Who can use Cantina Code?

Cantina Code is used by Organizations receiving security services and Security Researchers conducting code review. The interface adapts depending on whether you are a client or a researcher.

How does Cantina Code improve the security review process?

Cantina Code provides a real-time findings dashboard, reputation-based researcher scoring, researcher-to-client communication through comments and pings, and intuitive submission workflows. This simplifies collaboration and reduces response time during reviews.

What types of engagements are supported on Cantina Code?

Cantina Code supports public competitions, collaborative reviews, bug bounties, and customized engagement formats. The core Cantina team sets up repositories based on the specific engagement type and agreement.

What key features does Cantina Code offer for Clients?

Cantina Code gives clients real-time visibility into submitted findings, direct communication with researchers via comments and pings, and access to repository-level details like engagement type and review status. It also includes advanced features like:

  • AI-powered assistance to help teams triage and interpret findings
  • Automated de-duplication to avoid duplicate reports
  • Spam and low-signal submission filtering to surface only high-quality results
  • Streamlined issue tracking across live, judging, and completed review stages

These tools ensure that your security team can focus on what matters: resolving real vulnerabilities quickly and effectively.

What key features does Cantina Code offer for Security Researchers?

Researchers can submit findings, collaborate with team members, comment directly on code, use severity labels, update finding statuses, and access engagement details like deadlines, repository names, and competition types.

How do findings and submissions work in Cantina Code?

Researchers submit findings through a structured form where they can provide a title, detailed description, severity rating, and any supporting files. Clients can review, confirm, reject, or escalate submissions through an intuitive interface.

Is Cantina Code only available for Competitions?

No—Cantina Code is used across all security reviews on the platform, including Competitions, Reviews, and Bug Bounties. It's designed to support seamless collaboration, efficient submission handling, and transparent communication across every type of engagement on Cantina.

An Efficient Code Review Platform for Security-Conscious Organizations

Try it for yourself

Get started