Solana Projects › Cantina

Cantina

Securing the frontier of finance.

Programs · 24h on-chain

On-chain activity

All programs →

Cantina Code

Cantina Code is a code review platform that facilitates communication and coordination between developers and security researchers. Users can track findings, filter information, and receive notifications in a structured environment.

Visit
Project content

Cantina news, features & analysis

Matched from published articles, podcasts, and talks using the project name, token name, or token symbol.

  1. DeFi Article

    Solana Launches Native Subscription Billing and Recurring Payments on Mainnet

    The Subscriptions & Allowances program is open source, audited by Cantina and Spearbit, and available to any developer building payment flows on the network.

About

Cantina

Cantina is an AI-native smart contract security platform built by the Spearbit team that connects protocols with vetted researchers through competitions, private audits, and continuous AI-powered code analysis.

The Problem

Smart contract security has long suffered from a structural mismatch: auditing is high-stakes but traditionally manual, slow, and conducted through fragmented tooling with no dedicated platform. A single exploitable vulnerability can cost a protocol hundreds of millions of dollars — numerous high-profile bridge and DeFi hacks trace their losses directly to code that was either unaudited or inadequately reviewed. The demand for qualified security researchers outstrips supply, and even when audits happen, they typically deliver a one-time snapshot rather than continuous surveillance of deployed code.

Cantina was incubated by Spearbit — itself a decentralized network of elite security researchers assembled to match the best talent to the hardest problems — to build the platform infrastructure that addresses these inefficiencies systematically.

How It Works

Cantina operates across three primary engagement models, each calibrated for different protocol needs and risk profiles.

Security competitions are open, incentive-based code reviews in which vetted researchers from Cantina's 9,000-plus network compete to find vulnerabilities within a defined time window. Prize pools scale with severity: higher-impact findings earn larger payouts. This crowdsourced model creates strong incentives for thorough coverage that a traditional two-person audit team may miss. Uniswap's v4 security competition, run on Cantina in September 2024, offered a $2.35 million prize pool — at the time the largest security competition in DeFi history. The competitive format drives depth, since researchers are rewarded only for unique high-quality findings rather than by billable hours.

Private audits via Spearbit are hand-curated engagements matching protocols with elite researchers. Spearbit is Cantina's premium division — described by the platform as "the industry's most elite option for reviews" — and operates exclusively on the Cantina platform. Protocols working with Spearbit receive a tailored team assembled for the specific complexity of their codebase, rather than a generic firm assignment.

Continuous monitoring through Cantina's AI-native tooling complements point-in-time audits with ongoing surveillance. The AI Code Analyzer automatically scans for exploitable vulnerabilities across development and production environments. Cantina also runs Clarion, a Security Operations Center for real-time threat monitoring, and offers Web3SOC — a service modeled on institutional due diligence standards for DeFi protocols that need to demonstrate operational security maturity to partners, investors, and regulators.

Key Features

Beyond the core audit offering, Cantina has built a broader security stack:

  • Bug bounty programs: Protocols can host live bounties with defined scopes and prize pools. Active bounties on the platform have reached as high as $10 million for protocols like Reserve Protocol and $1 million for Paxos, providing a continuous channel for responsible disclosure after deployment.
  • Cantina Code: A dedicated platform purpose-built as a communication hub for researchers and clients during reviews, replacing fragmented tooling with structured workflows for findings, triage, and remediation tracking.
  • DNS monitoring: Cantina launched free DNS baseline scanning to detect domain abuse, lookalike hijacks, and infrastructure-level attacks — an under-attended attack surface for protocols managing significant on-chain assets.
  • SEAL Safe Harbor: Cantina provides verification services for protocols adopting the SEAL Safe Harbor framework, which grants legal protections to white-hat researchers who responsibly disclose vulnerabilities.
  • Fellowship program: A pathway for emerging researchers to build credentials and gain exposure within the Cantina network, addressing the longer-term talent supply problem.

Credentials and Scale

Cantina reports 4,474 issues uncovered across its engagements, over 9,020 researchers onboarded, and more than 200 projects secured. The platform claims $100 billion in live secured funds and $49.6 million in total researcher payouts. Cantina holds SOC 2 Type II certification — a compliance milestone that distinguishes it in a space where most security providers operate informally. Notable clients span the highest-value protocols in Web3: Coinbase, Uniswap, Aave, MakerDAO, Morpho, EigenLayer, zkSync, Optimism, Polygon, and OpenSea.

There is no native token. Cantina operates as a commercial security service.

AI-Native Differentiation

Cantina's positioning as "AI-native" reflects a genuine research and tooling investment. The platform's EVMbench research demonstrated that AI agents can exploit smart contract vulnerabilities with a 72.2% success rate — a finding that has shaped both Cantina's own tooling development and its advisory work around risks introduced by AI-assisted development. The AI Code Analyzer has produced verified results in production, including the detection of a critical consensus bug in Provenance Blockchain.

As AI coding assistants accelerate smart contract development — and introduce new classes of LLM-generated vulnerabilities — Cantina has published research on prompt injection prevention, AppSec risks from AI coding tools, and the challenge of securing AI agents. This positions the platform at the intersection of two converging trends: rising smart contract complexity and AI-driven development risk.

Solana Ecosystem Fit

While Cantina's highest-profile engagements have been on EVM chains, the platform covers Solana's security landscape directly. Cantina published a dedicated security guide for Solana program upgrades addressing ghost state vulnerabilities, uninitialized accounts, and authority control patterns that are unique to Solana's default upgrade mechanism — risks that are materially different from EVM contract security and require distinct expertise.

Solana's DeFi and institutional infrastructure continues to scale, and the demand for high-quality audit and continuous monitoring services on the chain is growing in parallel. Cantina's combination of competition-based discovery, Spearbit's elite private audits, AI-native monitoring, and a researcher network exceeding 9,000 gives it a credible cross-chain security presence as more protocols deploy across both EVM and Solana ecosystems.

Background

Cantina was incubated by Spearbit and launched in 2023, positioning itself as the platform layer built on top of Spearbit's existing researcher network. Rather than competing as a standalone auditing firm, Cantina is designed to be the infrastructure connecting protocols to the full range of security services — from open competitions to elite private reviews to continuous monitoring — through a single coordinated platform.

Contents

Note: inclusion in Solana Compass directory does not indicate a recommendation or endorsement of this project, its token(s) or its products. Data sourced with thanks from The Grid to aid in building these pages.

Reviews

0.0
0 reviews
Please login to write a review.
Solana tokens

Solana Token Markets

Explore all tokens →