An emphasis on security is a function of maturity in any sector, people don't buy locks until they have something to protect. As many users and developers know all too well, smart contract risk is an issue that has plagued virtually every sector of the crypto space, resulting in loss of funds and trust. Achieving high-security standards is paramount for blockchain technology to expand and mature successfully. Can we ensure every piece of code is perfect? No. Can we improve the market to raise the industry’s collective security posture? Absolutely.
The question is: How to most effectively connect projects with tier 1 security researchers and firms? And beyond that, how to match them with experts in the specific kind of codebase they are working with at a price point that doesn’t break the bank?
Current security offerings aren’t providing an adequate solution, at least not at scale, and this is evidenced by the sheer amount of hacks we’ve seen in the space.
We’re building Cantina, a first-of-a-kind security services marketplace connecting the top security researchers and solutions with clients to solve this issue and redefine how security reviews are done. Let’s dive into why we built Cantina and the gap it will fill in the blockchain security market.
First, let’s explore the current landscape.
The State of Crypto Security
TL;DR
Security Market Needs:
Top security researchers want flexibility and fair compensation
Dev teams want high quality security services at a commensurate price
Issues:
Large firms take ~80% of the pay on a given contract, offer limited schedule flexibility
This pushes top researchers to work independently or in small groups
Independent researchers have to take on legal, bizdev, and admin responsibilities themselves, inefficient
Cantina’s Solution:
A marketplace to connect qualified independent researchers/guilds to demand for their services
Resources to handle legal & administrative side of security engagements
Clients pay less for higher quality services with more choices, researchers earn 80% of pay instead of 20% and can take on contracts at their own discretion
Through extensive on-the-job experience, talks with developers, and building up one of the industry’s top security researcher guilds, our team has compiled the issues commonly facing both sides of the security market.
Those seeking security services typically have a few common objectives:
Finding the best researchers for their specific needs
Choosing a reputable firm that can be trusted
Staying within budget
Security service providers can be divided up into a few categories:
Large firms
Competitive/bounty programs
Boutique firms
Independent researchers
Let’s take a look at how the existing landscape stacks up.
The Large Firm Route
Going with a large, well-known crypto security firm may provide the desired optics and decent quality, but it has drawbacks regarding cost and specialized expertise. While having a big-name firm attached to your code might look good from a marketing standpoint, the top priority is always to stay off the Rekt Leaderboard. If you click into some of the exploits on there, it’s clear that these firms aren’t preventing major security issues effectively. There are few large-scale firms relative to the number of protocols in need of security reviews, and this centralization of security services hasn’t been the most successful model.
Senior security experts don’t want to deal with the unfavorable pay structure of big firms, where the researchers only see under 10% of the pay for a given contract. Add in the lack of flexibility with hours, and it makes sense why a big chunk of the top talent will typically be found outside of these firms. At the end of the day, Large firms don’t scale effectively, and the end consumer pays a premium for the ‘big name’ instead of a quality security review. Reputable security researchers tend to make these brands known, but without the proper incentives in place, they inevitably leave, and clients are left wondering what happened to the quality of the shop. In the past two years, this trend has accelerated as more options arise for researchers, and Cantina is embracing the shift.
The Bounty & Competition Route
Platforms like Code4rena, Sherlock, Immunify, and plenty of others host audit competitions, inviting all levels of security researchers to find bugs. One issue for clients here is that these services produce duplicate findings since competitions attract a bunch of researchers working independently. This is also inefficient for participants as the client isn’t going to pay out multiple times for the same finding. Ultimately, competitive reviews don’t incentivize top talent to stick around and don’t provide the same depth of coverage as a coordinated team.
The Boutique Firm Route
Boutique firms are small shops that perform audits and security reviews and typically have an excellent team in house. While these firms often perform great reviews, they are naturally supply constrained and, consequently, fetch a high price from clients who wait in long queues. Moreover, these firms don’t have the resources to invest in business development and sales pipelines, which can make it challenging for them to meet the needs of higher touch clients.
The Independent Researcher Route
Finally, there’s the world of independent researchers. This is often where clients will find tier-1 talent; as with any industry, the best want to work for themselves. However, this subsection of the market presents its own challenges. Establishing a reputation as an independent researcher can be tough. These researchers are even more supply constrained than boutique firms, and they don’t usually have the legal resources to deal with challenging situations. Ultimately, it’s a trust issue on both sides of the table; clients need to know they’re getting quality work, researchers need to guarantee they get paid. These factors often hold back independent researchers and small guilds from accessing major deals, as they don’t have the resources and/or recognition to land large deals.
Filling The Security Market Gaps
Incubated by Spearbit, one of the industry’s most successful and prestigious security guilds, Cantina was built to remedy these issues. Cantina’s curated marketplace approach has been guided by working with hundreds of independent researchers and small groups daily at Spearbit, a firsthand look at the current issues with the crypto security industry. Spearbit coordinates a network of 100+ vetted and independent security researchers to service the security needs of big-name brands including OpenSea, Polygon’s zkEVM, and Optimism.
Put simply, we can see the massive potential for improving the blockchain security landscape by connecting the right talent to projects in need.
As the space matures, users will demand stronger guarantees of protocol security, and bugs/exploits must be mitigated for mass adoption to be realistic. Creating a security service marketplace allows top talent to connect with a broader universe of prospective clients, get paid appropriately, and operate on a more flexible schedule. The platform also handles legal and administrative processes, vetting clients and researchers to ensure contracts are coordinated smoothly.
Built For Clients and Researchers
For those looking to take on contracts and monetize their smart contract security expertise, there are plenty of reasons to join Cantina. It's a place to build and display a public track record of your work and get your name in front of prospective clients without having to search them out. The pay distribution is much more favorable compared to working for a large firm (graphic goes here). On top of the economic advantages, your schedule is in your hands, as you can take on projects at your discretion.
Lastly for researchers and guilds, Cantina has you covered on the legal and administrative side of the business. Our experienced team vets potential clients, and legal resources are available in the event of a contract dispute. Cantina wants to make reviewing code as easy as hosting on Airbnb. On Cantina, security researchers can focus on what they do best, reviewing code and preventing new additions to the Rekt Leaderboards.
On the client side, Cantina is the ‘bang-for-your-buck’ solution for teams in search of security services. Where else can you handpick from a curated group of tier 1 security experts, get multiple bids, and pay less than you would for a large audit firm? The talent available on Cantina allows you to find experts for your specific code. Cantina’s goal is to be a one stop shop for your security needs - no more months of shopping around with brand name security firms or hoping the bounties you put out catch everything. Get the best selection all in one place and reduce your security engagement timeline so you can ship faster.
What’s Next?
We're kicking things off with a public goods security review to demonstrate the power of Cantina and contribute to the security of one of the most widely used codebases out there. The project is a multiple week security review of the Solady Solidity Library and will be the first public goods security review in crypto. We’ve started raising funds through sponsorship and crowdfunding to put together the dream team on Cantina. Public goods like Solady benefit the community greatly, but with no entity behind it, funding a full scale security review would typically be out of the question.
For the platform itself, we’ll be releasing more details on the key features soon, and shortly after, Cantina will open up for security researchers, guilds, and clients. Join us on Twitter and follow here on Paragraph as we roll out all the information and updates heading into the launch. For potential clients and researchers, sign up details will be live soon at cantina.xyz.
About Cantina: The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to. Find the expert researchers that fit your needs at a price that doesn’t break the bank.