About Spearbit & Cantina:

We're building Cantina, an AI Security Platform that secures the world's code. Originally the "GitHub for Security" — connecting security researchers with the projects needing their expertise — Cantina has evolved into a multi-product platform spanning Apex, Clarion, and Cantina Bounties. It has powered major competitions and serves many of the leading projects in Web3, supporting collaborative security reviews, public and private competitions, bug bounty programs, AI-driven code analysis, and a security operations center (SOC) that monitors, triages, and responds to live alerts and threats.

Similar to how cloud-security startups emerged previously, Cantina aims to be the definitive code-security platform for the future.

The role:

Join a team of elite security researchers conducting deep-dive audits of smart contracts, protocols, and blockchain infrastructure. You'll analyze attack surfaces across DeFi, tokenomics, governance, MEV, bridges, and ZK systems — working solo or within a pod of senior researchers to find what others miss. Beyond identifying bugs, you'll reproduce exploits, write POCs, and deliver clear, actionable writeups with real technical and business impact.

What You’ll Do

• Perform deep-dive security reviews of smart contracts, protocols, and blockchain infrastructure
• Analyze protocol designs and identify attack surfaces across DeFi primitives, tokenomics, governance, MEV, bridges, and ZK systems
• Work within a pod or as part of a curated team with other senior researchers
• Provide actionable recommendations with clear technical and business impact assessments
• Reproduce exploits, write POCs, and occasionally contribute patches
• Publish post-mortems, technical articles, and internal reports as part of the knowledge-sharing culture

Who You Are

• Experienced: You've worked on or audited complex smart contracts and are deeply familiar with Solidity, EVM behaviour, and common vulnerability classes (e.g., reentrancy, logic flaws, gas griefing, access control). Bonus if you have exposure to Move, Zk, Cairo, Rust, or low-level protocol implementations.
• Curious and Relentless: You don’t stop at surface-level bugs. You model systems end-to-end and attack assumptions from first principles.
• Collaborative: You enjoy working with other security researchers and protocol developers to ship secure products.
• Detail-Oriented: You produce clear, concise, and rigorous technical writeups. Your GitHub issues or findings are actionable and professional.
• Credible: You’ve either contributed to open source projects, published security research, performed audits, played CTFs, or made a name for yourself in the bug bounty world.
• Decentralization-Aligned: You value open networks, cryptographic innovation, and building resilient systems.

Preferred Qualifications

• Deep understanding of the EVM and Solidity
• Experience auditing production smart contracts (solo or in teams)
• Experience with cross-chain protocols, bridging, rollups, or ZK systems
• Track record of high-impact bugs in bounties, audits, or competitions (e.g., Cantina, Paradigm CTF)
• Familiarity with Ethereum security tooling: Foundry, Echidna, Slither, etc.
• Experience writing or reviewing technical specs or protocol docs

Nice to Haves

• Prior experience in formal audits (Spearbit, Zellic, Trail of Bits, etc.)
• Familiar with the Cantina Platform
• Lead reviewer experience or ability to manage a team of researchers
• Contributions to open-source security tooling
• Security publications, conference talks, or technical blog posts

Employment Eligibility & E-Verify Notice

Cantina welcomes applications from both domestic and international candidates depending on the specific location requirements of each role.

For positions based in the United States, we participate in the federal E-Verify program to confirm the identity and employment authorization of all newly hired employees. If you are applying for a U.S.-based role, please review the official E-Verify Participation Notice and the Right to Work Notice for details on your rights and responsibilities. E-Verify requirements do not apply to roles based outside of the United States.