Skip to main content

Cantina Code for Security Researchers

Cantina Code provides security researchers with a robust platform to conduct their work, from submitting findings to interacting with code and other users. This page covers the key features and functionalities that will help you navigate and make the most of Cantina Code.

1. Download Content & Toggle Sidebar

Cantina Code allows you to download the content of a repository and manage the interface through the sidebar.
  • Download Content: You can download the entire repository content by clicking the download button, which will provide you with a compressed .zip file containing the source code (excluding .git version control data).
  • Toggle Sidebar: Easily toggle the sidebar to access repository details, file navigation, and additional tools.

2. Highlighting Code

The ability to highlight portions of code allows for efficient interaction during security reviews. Once highlighted, you have several options:
  • Copy Line: Copies the contents of the highlighted area.
  • Copy Permalink: Copies the URL pointing to the exact highlighted area.
  • Comment Line: Opens a comment thread under the highlighted code for further discussion.
  • Link to Existing Finding: Links the highlighted area to an already open finding.
  • Reference in New Finding: Starts a new finding submission process by referencing the highlighted code.

3. Findings Submission Process

Submitting a finding is easy and can be done in two ways:
  1. By highlighting code during a Code Review or,
  2. By clicking the “New Finding” button in the Findings section.
Required Fields:
  • Severity: How critical the vulnerability is (ranging from Critical to Low).
  • Likelihood: The probability of the vulnerability being exploited (optional).
  • Impact: The potential consequences of the exploit (optional).
  • Title: A brief description of the vulnerability.
  • Description: A detailed explanation of the issue, including proof of concept, tests, or diagrams.
Optional: You can also select a standard template to guide the writing process. Once submitted, findings will appear in the Findings section for further processing.

4. Findings Labels & Statuses

Labels: Labels are tags you can assign to your findings for better organization. The availability of custom labels depends on the repository and security review type. Statuses: Each finding has a status that reflects its current state. Common statuses include:
  • New: Default status when a finding is first submitted.
  • Confirmed: When the finding is validated.
  • Acknowledged: When the finding is confirmed by the sponsor or judge.
  • Fixed: After the sponsor applies a fix to the vulnerability.
  • Withdrawn: When a researcher withdraws their finding.

5. Add Code to Existing Finding

You can link new code areas to an existing finding. This allows you to further clarify or expand on your discovery without creating a new finding from scratch.

6. Better Findings with Cantina Assistant

Cantina’s AI-powered Cantina Assistant helps you craft more effective findings by:
  • Analyzing your findings for clarity.
  • Ensuring your submission follows the correct format.
  • Verifying that it includes the necessary proof of concept.
Using the Assistant significantly increases your chances of submitting higher-quality findings, which can result in more successful outcomes.

7. New Shortcuts

Cantina Code supports several keyboard shortcuts to enhance navigation:
  • CMD+P (Ctrl+P on Windows/Linux): Opens the “jump to file” capability.
  • CMD+B (Ctrl+B on Windows/Linux): Quickly hides the file explorer in the Code Review tab.

8. Diagrams & Formulas

Cantina Code allows you to include Mermaid.js diagrams and MathJax formulas within your comments and findings, making it easier to visualize and communicate complex ideas.

Mermaid Diagrams

You can create sequence diagrams, flowcharts, and more using Mermaid.js syntax. For example: This will render as a visual diagram that illustrates a reentrancy attack on a smart contract.

MathJax Formulas

Cantina also supports MathJax, allowing you to include mathematical formulas in your findings. For example: Hf=Collaterali  in  ETH×Liquidation  ThresholdTotal  Collateral  in  ETHH_{f} = \frac {\sum Collateral_{i}\;in\;ETH \times Liquidation\;Threshold}{Total\;Collateral\;in\;ETH} This will render the formula in a readable format, helping you explain complex mathematical models clearly.

9. Finding Workflow Optimization

Cantina Code streamlines the process of managing and submitting findings with various tools and features:
  • Linking existing code to a finding.
  • Using custom labels to categorize findings in private reviews.
  • Hidden comments for sensitive communications during escalations.
These features help you keep track of your work and ensure that findings are handled efficiently and professionally.