Security is paramount in crypto, but as regular coverage of hacks and other exploits make plain, it is not taken seriously enough. Spearbit wants to change that, and it just raised a new round to accelerate its efforts.
The startup raised $7 million in a funding round led by Framework Ventures with Nascent, 1kx, Volt Capital, Breed VC, Robot Ventures and others participating, the company exclusively told TechCrunch. The capital will go toward building out Cantina, its open marketplace for web3 security auditors, as well as hiring more software engineers to automate its services and product marketplace workflow, company co-founder Spencer Macdonald shared.
The startup previously raised a pre-seed round of $1.5 million in late 2021, bringing its total capital raised to $8.5 million today. The startup did not disclose a valuation, but PitchBook data pegs its worth at around $48 million on a post-money basis.
Spearbit was founded in November 2021, with three of its five founders coming from the Ethereum Foundation, in an effort to bridge the gap between freelance researchers and crypto protocols and companies that needed security audits. Since then, it has vetted and trained over 100 researchers that are available for hire on its marketplace.
In the past few months, the firm has worked with major clients including OpenSea, Nouns DAO and Polygon.
Its near-term goal is to launch two products: Cantina Managed Service, which aims to help solo auditors to get deal flow and do smart contract audits, and Cantina Guilds, small-to-medium audit shops that specialize in specific sectors and will host their services as a “guild” on the platform.
By creating a marketplace, Spearbit could bring welcome transparency to the web3 security market. “Right now there’s no price transparency,” Macdonald said. “If you go to these centralized auditing firms they say, ‘Hey this is the price deal with it,’ it takes weeks to get a quote, there’s no way to figure out who’s best for a particular tech stack and on the talent side, auditors at these firms are very talented but have no work-life balance and it’s like a sweatshop because they audit continuously.”
Audit firms tend to keep a majority of their margins, something that Spearbit wants to invert by conserving more income for auditors themselves. Cantina takes just a 20% to 30% cut. “That’s a huge change because it’s the same talent pool in this community since day one that are former employees of these [firms].”
As it stands, the current security auditing world in crypto is pretty fragmented, Hari Mulackal, Spearbit co-founder, noted. “We were disappointed by the state of security in the ecosystem with hacks every week.” Even last week, Curve Finance saw an exploit of $62 million. “There’s a big need for security in the space and there wasn’t enough [being done], so we wanted to solve our own problems and create something to fix it.”
Crypto clients looking for security auditing help typically go with auditors that do the most marketing rather than those who are the most talented, Mulackal said.
But engineers aren’t typically good at marketing themselves. “We want to give visibility to independent people and small teams, these boutique firms instantly connect to Cantina — they don’t need to hire a marketing person, [or a] legal person; they can have it handled by us.”
In general, most clients using Spearbit don’t go for the cheapest audit available, Mulackal said. “They fundamentally understand why this is needed and just want the right people. Clients are getting more educated and we want to enable them to do that and make their own picks rather than going with the cheapest.”
During the last bull market, the crypto industry didn’t take security as seriously as it should have, Macdonald said. “But now, in the bear market the industry is starting to self regulate and have this common ethic of needing to ship secure code. That’s been a definite change.” At the same time, as security priority grows, there are also people who still want to freelance and own their own work, so Spearbit is trying to fill that gap with Cantina, he added.
Going forward, the industry needs to continue to professionalize, Macdonald said. The stakes in blockchain security continue to be high, as black hat hackers can get instant money through exploiting others. Large crypto protocols and platforms are starting to require “holistic security,” which is an improvement because it looks at all aspects of a platform, project or company, opposed to just focusing on major security risks.
But in order for the whole ecosystem to improve, there needs to be a continuous emphasis on security. Otherwise there will be major hacks in the future, similar — if not worse — to ones the industry has seen in recent years.