Catch High-Risk DeFi Vulnerabilities Faster with Cantina Code

Cantina Code is our structured review platform designed for fast-moving DeFi teams. Whether you’re iterating on lending pools, AMMs, stablecoins, or DAOs, Cantina Code helps surface meaningful security findings earlier in your dev cycle—supporting protocol upgrades, economic changes, and multi-chain deployments.

Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Notification alert indicating a new security finding has been submitted for review.
Audit contributor profile overview with activity indicators and stats.
Audit interface update indicating recent team activity and new finding submission.
Interactive preview button frame for security interface actions.Empty security review results graphic.
'Fix issue #30': Enable mode would not install any module types but validators or multitypes with validator included.
Also includes fixes to issues #37, #38, #42 from PR #111.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Public label and globe icon representing project or report visibility setting.Web3 Security audits comment icon.
Web3 security assessment status indicator background.

Findings Dashboard

Take a comprehensive bird’s eye view of all findings, comments, and much more in a live continuous windowpane view.

Issue thread header with information about security audits issues.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smart contract reviewer selection.Security audit classification labels.Audit finding status indicators.Vulnerability severity indicator.Security findings sort options.New finding button for redirecting to security audit.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Smart contract finding card showing issue summary and metadata.Protocol vulnerability ticket with identifier and engagement metrics.Security review ticket displaying issue title and tracking information.Smart contract issue ticket with status and reference details.Security findings interface showing active protocol review items.Audit finding entry showing ID, description, and interaction count.Security finding, overview showing title and metadata.Opened security finding with status indicators and comment count.
Security researcher profile card showing contribution metrics and status.
Featured button container with elevated design for primary security platform functions.Primary action button container with shadow effect and hover state for audit platform navigation.Clickable button container with modern design elements for blockchain security interface.
Security vulnerability showing Enable Mode Signature replay risk in smart contract validation system, with high severity.
Code Assistant Cantina Tardigrade mascot - cheerful circular character with orange beanie.

Cantina Assistant

Deploy our AI assistant on your code, allowing researchers access to all the information they need to get started - and in turn, reducing the bandwidth required from your team.

Cantina Tardigrade floating while waving, looking happy and energetic in motion.
Web3 security assessment status indicator background.

Reputation Score

Quickly assess researcher submissions with a reputation score that reflects their proven track record, making it easier to manage findings and ignore spam, especially during bug bounties.

Pings

Pings reduce the opportunity for spam by limiting the number of @project tags a researcher has during an engagement based on their reputation level.

Interactive preview button frame for security interface actions.Empty security review results graphic.
@project another concern related to supplyBalance.

Do we want the market value to exceed the cap? Assume a market is set at cap 10M and the vault owns 15M liquidity of the market. Do we want the value of the market to be capped at 10M? To reflect the full amount of the liquidity is more intuitive but riskier.

Assuming the vault wants to allocate 10% liquidity to a riskier market (e.g. DAI-Doge), in the event that Doge's price crashes, the Vault could potentially lose more than 10% of its liquidity.

Moreover, considering the morpho-blue protocol's removal of bad-debt socialization, we should discuss how the vault manager should handle situations in which a market have bad-debt but keep pumping vault's value
UI card displaying project context and remaining pings to notify contributors during review.Dropdown menu displaying user handle and project tag for selection in a Web3 audit interface.User interface dropdown with username and project filter for audit-related views.Interactive dropdown element showing user profile and project label options.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Paste, drop, or click to add images
Public label and globe icon representing project or report visibility setting.Web3 Security audits comment icon.
Web3 security assessment status indicator background.

Notifications

Get alerts for every crucial piece of information you need to know, straight to your dashboard.

Streamlined alert card displaying a new issue logged during a smart contract audit.
Compact notification showing recent finding submitted in a Web3 security audit dashboard.
Minimalist UI notification for a newly reported blockchain vulnerability in audit view.
Web3 audit platform notification showing a newly submitted smart contract security finding.
Interface alert for a new vulnerability report added to a blockchain audit workspace.
Notification card displaying a recent security finding submitted in a Web3 audit platform interface.

Filter

Add filters to your search by severity, author, or custom labels to find exactly what you’re looking for.

Non-functional button included as part of Cantina’s UI visual design system.
Decorative UI button used for layout consistency in Cantina’s web interface.
Generic button used in Cantina’s interface for submitting or navigating Web3 audit actions.UI button element for user interaction within Cantina’s Web3 security platform interface.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Status indicator showing a security vulnerability finding has been escalated to higher priority review, requiring urgent assessment by the security team.
Status notification showing a security vulnerability submission has been verified and confirmed by the review team, awaiting remediation action.
Alert notification indicating that a security vulnerability submission has been rejected after review, with status clearly marked as declined.
Alert notification indicating the security vulnerability submission may be a duplicate of an existing finding, pending verification.
Status indicator showing a security vulnerability has been acknowledged by the team, confirming receipt and initial assessment in progress.
Security researcher discovering vulnerabilities during audit process with bug bounty notification and competition scoreboard.

Shortcuts

Common actions deserve corresponding hotkeys to make your life easier.

Create findings

We’ve simplified and systematized the findings submission process, saving time for both researchers and organizations.

Instructional UI text guiding users to submit a code snippet related to their security finding or audit review.
Screenshot of Solidity smart contract function call from ModuleManager.sol used in Web3 code audit review.
Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
List item marked with check icon.
Impact (optional)
High
List item marked with check icon.
Severity
High
List item marked with check icon.
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

1. validator: The module to be installed as any module type that can be defined. It must be     a validator either already before the user op or after enabling it as a validator in enable     mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.
Instructional UI text guiding users to submit a code snippet related to their security finding or audit review.
Solidity code block from ModuleManager.sol verifying enable mode signature using module init data and signature hash.
Form field for rating security vulnerability severity, with note that likelihood and impact fields are optional assessment parameters.
Likelihood (optional)
High
List item marked with check icon.
Impact (optional)
High
List item marked with check icon.
Severity
High
List item marked with check icon.
Form field prompt for security vulnerability submission, requesting detailed description of finding and explanation of protocol danger impact.
Interactive preview button frame for security interface actions.Empty security review results graphic.
During enable mode, two validators are used.

 1. validator: The module to be installed as any      module type that can be defined. It must be      a validator either already before the user op      or after enabling it as a validator in enable      mode. This validator will be used to validate the final userOp.
2. enableModeSigValidator: This validator is used in _checkEnableModeSignature to check     the _getEnableModeDataHash(validator, initData) for enabling the first validator.Note that these two validators are independent of each other and might have different trust assumptions and privileges.
While a user operation has a nonce field (that is used in the userOpHash and its signature) and the entrypoint checks and increments this nonce to avoid replaying a user operation, the inner enableModeSignature does not have any such replay protection. The same module, moduleInitData, enableModeSignature can be used in a different user operation to install the module a second time, for example, after the user uninstalled the module already.As the entire enable mode data is encoded in the userOp.signature that is not part of userOpHash, a bundler can replace the enable mode data with a different previously signed one without invalidating the user operation (as long as the enable mode bit and the validator encoded in the userOp.nonce match).
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Web3 security assessment status indicator background.

FAQ

What is Cantina Code for DeFi Protocols?

Cantina Code is a specialized code review platform designed to efficiently conduct security reviews for DeFi protocols. It enables users to review smart contract code, communicate with relevant stakeholders, and submit security findings in a structured and collaborative environment.

Who can use Cantina Code for DeFi Protocols?

Both DeFi protocol teams and independent security researchers can use Cantina Code. The platform supports collaboration between protocol developers, auditors, and the broader security community to enhance the safety of decentralized finance applications.

How does Cantina Code improve the security review process for DeFi protocols?

Cantina Code streamlines the security review process by providing tools tailored for DeFi, such as live dashboards, AI assistants, and reputation scoring for researchers. This helps surface critical vulnerabilities earlier in the development cycle and supports ongoing protocol upgrades and multi-chain deployments.

What types of engagements are supported for DeFi protocols?

The platform supports a variety of engagement types relevant to DeFi, including security competitions, bug bounties, guild-based reviews, and fellowships. These formats allow DeFi projects to attract diverse security expertise and incentivize thorough code analysis.

What key features does Cantina Code offer for DeFi protocol teams?

  • Live Findings Dashboard: Real-time overview of all security findings and comments.
  • AI Assistant: Deployable on DeFi codebases to assist researchers and reduce team bandwidth.
  • Reputation Score: Quickly assess researcher submissions based on their track record.
  • Spam Reduction: Features like Pings limit unnecessary notifications and focus attention on high-quality findings.
  • Custom Filters: Search findings by severity, author, or custom labels for efficient triage.

What key features does Cantina Code offer for DeFi security researchers?

  • Streamlined Submission: Simplified process for submitting and tracking findings.
  • Reputation Building: Earn scores based on the quality and impact of submissions.
  • Collaboration Tools: Communicate directly with protocol teams and other researchers.
  • Shortcuts and Hotkeys: Speed up common actions during reviews.

How do findings and submissions work for DeFi protocols?

Researchers submit findings through a structured form, including severity, likelihood, and impact. Protocol teams can review, mark as duplicate, or reject submissions efficiently, ensuring a transparent and organized review process tailored for DeFi security needs.

Is Cantina Code only available for DeFi security competitions?

No, Cantina Code supports a range of engagement types beyond competitions, including ongoing bounties, guild reviews, and fellowships, making it suitable for continuous security monitoring and improvement of DeFi protocols.

An Efficient Code Review Platform for Security-Conscious Organizations

Try it for yourself

Get Started