Skip to main content

Competition Participation

In Cantina, security researchers can join competitions to showcase their skills and earn rewards. Here’s everything you need to know to participate effectively:

Joining as an Individual Researcher

To participate in competitions you must first:

Joining as a Team

At Cantina, researchers can form teams to participate in competitions. To register as a team, follow the steps below:
  1. Team Creation:
    • Head to the team-submissions chat in our Discord channel.
    • Send your team submission request using the following format:
      • Team Name:
      • Competition Name:
      • Team Lead (Cantina Username):
      • Other Team Members (Cantina Usernames):
Once the Cantina core team processes your application, your team will appear at the top-right section of the competition repository.
  1. Team Payments:
    • Payments are disbursed to team leaders, who are responsible for distributing them fairly.
    • Cantina is not liable for internal disputes between teammates.
  2. Important:
    • Team applications are valid only for the competition specified. If you want to participate in a different competition, submit a new application.
    • No findings can be made before the team is created. Once a finding is submitted, the team cannot be updated.

Finding Statuses & Labels

During the competition, your findings will be labeled and tracked. Below are the different finding statuses and labels:

Finding Statuses

  • New: Assigned to newly submitted findings.
  • Rejected: If a finding doesn’t meet competition criteria, it will be rejected.
  • Duplicate: If another researcher submits the same issue, it’s labeled as a duplicate.
  • Confirmed: Valid findings are marked as confirmed and are rewarded.
  • Spam: Low-quality or irrelevant findings are marked as spam.
  • Withdrawn: If you withdraw a finding, it will be marked as withdrawn.

Finding Labels

  • Escalated: Applied when a researcher disagrees with a judge’s decision and escalates the issue.

Payment Process

KYC & Payment Setup

To receive payments, you must complete the KYC (Know Your Customer) process and set up your payment address. For detailed instructions, check out our KYC and Payments Page.

Payment Statuses

  • Planned: Payment is scheduled, but the KYC process may be incomplete.
  • Scheduled: Payment is scheduled and will be processed in the next transaction batch.
  • Submitted: Payment is awaiting multi-sig approval.
  • Executed: Payment is successfully processed on-chain.
  • Disputed: Payment is delayed or disputed during the planned or scheduled phase.
  • Cancelled: Payment was canceled.

Scoring & Prize Distribution

The competition prize pool is distributed based on the severity of the findings.
  • High Severity: 10 points
  • Medium Severity: 3 points
  • Low Severity/Informational/Gas-Optimization: These will be assessed on a separate pool, as announced in the competition’s specific details.

Duplicate Findings

When multiple researchers submit the same finding, points for each participant are scaled down based on the formula: Points=0.9n1\text{Points} = 0.9^{n-1} where n is the number of duplicate findings. For example, if there are 3 duplicates for a high-severity bug (10 points), each participant receives 2.7 points. The competition rewards unique findings—the more original your submission, the greater your payout potential!

Judging Process

Judges evaluate submissions based on a set of established rules, ensuring each finding is assessed fairly. They also handle duplication of findings, ensuring the competition remains competitive and equitable.

Judge Responsibilities

  • Verifying finding validity.
  • Handling duplication of issues.
  • Collaborating with sponsors for further evaluation.
  • Overseeing the escalation process.

Escalation Process

After the judging phase, if a researcher disagrees with the severity of their finding, they may request an escalation. During this phase:
  • Only the researcher who submitted the finding can escalate it.
  • Invalid escalations are penalized with a $100 fine from future competition earnings.
  • Cantina has the final say on escalations.
Private Comments on Findings Researchers can add private comments on any finding. These comments are only visible to the judges and can help them make an informed decision during the review process. Please keep comments objective and focused on the findings.

Competition Flow: From Submission to Payout

  1. Submit Finding: Researchers submit their findings for evaluation.
  2. Judging: Judges assess the findings for validity, severity, and relevance.
  3. Escalation (if applicable): Researchers can escalate findings if they disagree with the judgment.
  4. Payment: Once confirmed, researchers complete the KYC process and are scheduled for payment.

FAQs

Does it matter who submits the finding first?

No, every finding is scored the same regardless of when it was submitted during the competition. We encourage early, high-quality submissions to allow your teammates to leave feedback and plan fixes.

Can I withdraw my finding?

Yes, you can withdraw findings through the finding’s context menu.

How are low-severity or informational findings judged?

Some competitions reserve a pool for these findings. This is explicitly mentioned in the competition details. High-quality findings (regardless of severity) may also earn rewards from this pool.