Stake Heist is finally here, launching on April 17th at noon PT and running for two weeks, in collaboration with Gitcoin! We have increased the prize pool for Stake Heist to 15,000,000 ONE.

After several rounds of extensive testing with our close community, we are ready to invite hackers to Harmony’s Open Staking testnet.

Come join the Open Staking Testnet Network (‘OSTN’):

  1. Create your validator
  2. Start staking and collecting delegations
  3. Compete for the bounties.

It will be useful to go through Harmony’s staking model and token economics before you begin your conquest on Stake Heist, here’s a list of useful links to get you started:

What are the bounties?

There are two categories of bounties in Stake Heist:

Exploit: These bounties help us identify vulnerabilities in our design and code. These are open ended and usually include attack vectors and exploits.


  1. Manipulate earned rewards as a validator
  2. Stake tokens you don’t own or create tokens out of thin air
  3. Control more than 1/3 or 2/3 of voting power in a shard (sybil, timejack attacks)
  4. Edit configurations of other validators with malicious intent
  5. Manipulate median in a way to gain unfair advantage
  6. DDOS a validator node to prevent it to propose/sign blocks (BINGO)
  7. Perform a double-spend attack on the network
  8. Gain control of a validator or node that isn’t yours
  9. Find creative ways to exploit EPoS and economic design

Project: These bounties are projects that are useful for validators and delegators to use for staking. Examples:

  1. Auto-restake tool for validators
  2. Build a validator portal (social, informative)
  3. Alert mechanisms for validators and delegators
  4. Add a multi-delegate feature on staking dashboard

If your project idea doesn’t match with a bounty above, feel free to create a new one following the same guidelines.

Prizes and judging criteria

There are three tiers of rewards/prizes. Each bounty submission could be eligible for any (or all) of the prize tiers. Please check the original bounty posting to see which tiers are applicable.

Judging criteria will take into consideration:

  • Criticality of the exploits (e.g., users/cases impacted, size of impact)
  • How simple/complex it is to reproduce
  • Level of research and analysis done by the reporter
  • Relationship to existing bugs (derivatives of known issues are not likely to be eligible for prizes)

Please note that the prizes will be paid in native ONE tokens and USD value of prizes could change based on the rate.

Submission process and guidelines


  1. Give us a heads up by sending an email to with the brief description of your planned exploit (Recommended at least 2 hours prior to submission, especially for exploits that could affect network stability)
  2. Submit the evidence of your work by opening a new issue on Harmony main repo, using the stake heist submission’ template. Make sure to click ‘submit work’ and link your issue on Gitcoin when you submit. You’ll need a tiny amount of ETH for gas to submit, but if you don’t have any you can request some from the Gitcoin Faucet.
  3. Wait up to 12 hours until our team tags your submission as valid. Please stay in contact with our team in case of additional requests. You can reach us via Github, Gitcoin Chat and
  4. After a submission is tagged as valid, any further similar submissions will not be eligible for prizes. It is in participant’s responsibility to track other valid submissions (note that ‘valid’ tag does not guarantee rewards)
  5. You will receive the final decision of winners within 2 weeks after the competition ends


  1. Submit a scope approval request by clicking ‘start work’ button on the Gitcoin posting for the bounty. Please include in your request the following:
  • Short description of deliverable
  • Estimated time to finish (for projects that may overrun the competition)
  • List of functionalities and features

2. Once your scope request is approved by our team (within 24 hours of submission), you can start working on the project. Projects could be finished after competition ends as long as the scope is approved by the team.

3. Submit your work by opening a new issue or a pull request on Harmony main repo, using the ‘stake heist submission’ template

4. You will receive the final decision of winners within 2 weeks after the competition ends OR after work is submitted.

Competition terms

  • There will be no duplicate rewards for similar submissions, it’s in participant’s responsibility to track submissions up to date in order to avoid duplicate work
  • Exploits that are related to issues identified and reported before the competition start date will not be eligible for submission
  • Please provide detailed reports and reproducible steps. Incorrect report formats will not be eligible for complete review
  • Do not attack other Harmony networks other than OSTN
  • All activities related to a bounty can be found under the original posting
  • Participants need to complete KYC to claim prizes (government ID needed)
  • Final prizes will be decided within 2 weeks of competition end OR 2 weeks after submission (in case this is a late submission) by the Harmony team
  • Stake Heist will go on for 2 weeks after launch. Submissions made during this period will be eligible for Stake Heist prizes. The event ends on May 1st at 23:59 UTC
  • Note that Harmony is an open source project
  • Exploits that are solely driven by external factors such as validator’s personal negligence to security and using 3rd party applications of the node software will not be eligible for prizes

Join the conversation