[Tour de SOL] Stage 8 - Details

Introductory Note

Thanks to everyone that participated in Stage 7. With us now moving into August, we’re going to be shifting into Stage 8. There’s still plenty of work to be done on the below features. So overall there aren’t any major changes to the structure this month. The focus will be:

  • Stake-O-Matic

Stage 8 - Details

  • Start Date/Time: Tues, 21st of September, ~10:00am PT
  • Estimated Duration: 4 weeks
  • Malicious behaviour will be incentivised
  • The focus of Stage 8 will be Stake-O-Matic

Registration closes the 20th of September 8:00am PT

Future Stages

  • Additional details will be announced progressively depending on the progress made on the previous stages
  • Within each stage the allowable attack surface will vary depending on engineering goals and any new features enabled with each new release. Similarly, metrics upon which participants will be measured against will vary to suit
  • Our intention at this point in time is for each Stage to run for up to approximately 4 weeks.
  • Future stages will not start until the previous stage is complete

Note that we reserve the right to change the schedule/duration if required, but we’ll endeavour to provide clear and ample notification if so.

Attack Surface

Each Stage will be configured to behave exactly like the next-in-line upgrade for the Mainnet Beta network at each respective point in time. Participants can expect the attack surface to grow over time as more features are enabled. We’ll be continuing with the v1.3.x release line for Stage 8.


Compensation has remain slightly changed since Stage 4. Recap on the structure provided below.


This will be measured by multiple factors, including but not limited to if you’ve joined the network, are actively staked, are responsive to issues (i.e. don’t become delinquent, or actively work to resolve the issue if you become delinquent), implement patches/upgrades within a reasonable timeframe and remain so until the end of the stage.

Compensation Amount: 500 SOL per participant

Security Bug Bounties
We’ll be incentivising participants for identifying security issues within the network. This has been renamed because the previous title gave the impression to participants that an attack had to be successfully executed to be eligible for compensation. This is not the case, participants that reveal a security attack vector to the team, without executing the attack will still be eligible. Security Bugs will still be classified into several overarching categories:

Critical Bugs

  • Loss of Funds/Safety Violation:
    • 50,000 SOL
  • Loss of of Availability (i.e. halting the network or preventing consensus from moving forward)
    • 25,000 SOL
  • DoS (i.e. flooding the node with messages, but not overwhelming the hardware)
    • 20,000 SOL
  • Any bugs that are ‘Critical’ but do not fall under the above categories will be assessed on the case by case basis and awarded
    • Up to 50,000 SOL

Smart Contracts Bugs
Bugs specifically relating to Solana’s smart contract module

5,000 SOL each

Non-Critical Bugs
Any other security bugs that are identified but don’t fall within the ‘Critical’ category.

3,000 SOL each

Accidental Bug Identification
Bugs that are accidentally identified by any participant during Tour de SOL will still be eligible for compensation. Note that individuals are responsible for adding the following comment in the issue “Found in TdS Stage #” and requests the Solana team to add the “tour-de-sol” label to the issue, otherwise it won’t be counted

3,000 SOL each

The introduction of this is not to discount the amount of effort required to deliberately identify exploits, but to encourage and incentivize participants for experimenting and exploring the code.

Eligibility for Bug Compensations:

  • The participant submitting the bug bounty still must file a github issue, describing the attack to be eligible (amongst registration requirements etc.) for the compensation.
  • Valid exploits can be eligible even if they are not successfully executed on the cluster
  • Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
  • Note that individuals are responsible for adding the following comment in the issue “Found in TdS Stage #” and requests the Solana team to add the “tour-de-sol” label to the issue, otherwise it won’t be counted

Other Notes:

  • As with all previous compensation, SOL earned are locked for 12 months and will be distributed quarterly in general
  • U.S. individuals and entities are EXCLUDED from participating

Communication Channels for the Event:

  • Solana Discord : We’ve set up a channel titled #tourdesol-announcements which you can join to stay up to date on any major updates related to the events
  • For any questions please reach out to Dominic (watch out for imposters):

Final Words

As always feel free to reach out if you have any queries or concerns. A friendly reminder that participants need to complete registration for us to be able to distribute compensation. If you have issues on that front please also reach out.


So the usefulness of this as an actual security or reliability exercise is called in to question.

To participate in this bug bounty promo, someone has to do all of the following things:

  • agree to the GitHub TOS
  • agree to the Discord TOS
  • agree to the TOS and Privacy Policy of the KYC provider
  • dox oneself to the KYC provider
  • agree to the legal contract with the Solana Foundation covering this promo

That’s a lot of stuff.

Additionally, that legal agreement, called “Solana Foundation Tour de Sol Participation Terms”, contains the following:

The Company reserves the right to immediately terminate the participation of any participant
who engages in prohibited conduct (as described below) or if the participant fails to provide
the minimum level of Tour Services described above.

SOL will be offered as SOL Rewards; however, the Company makes no promises that each
Finalist will receive any minimum or maximum number of SOL as a SOL Reward. The Company
has no obligation to distribute or award any or all of these SOL at the conclusion of the Tour
de Sol. No participant has a legally binding right to receive any SOL as a result of their
participation in the Tour de Sol.

You will not violate any applicable law, contract, intellectual property right or other thirdparty right or commit a tort, and you are solely responsible for your conduct while using our
Solana Services. You will not (in each case except as otherwise contemplated as part of the
Tour de Sol and Tour Services set forth in these Tour de Sol Terms):

(a bunch of stuff omitted)

Initiate any attacks against other users of the Solana Services, Tour De Sol or other

Use our Solana Services other than for their intended purpose and in any manner that
could interfere with, disrupt, negatively affect or inhibit other users from fully enjoying
our Solana Services or that could damage, disable, overburden or impair the functioning
of our Solana Services in any manner;

Reverse engineer any aspect of our Solana Services or do anything that might discover
source code or bypass or circumvent measures employed to prevent or limit access to any
part of our Solana Services

Develop or use any applications that interact with our Solana Services without our prior
written consent; or

So, a bug bounty where actually doing research or attacks or even writing applications to interact with the chain means you don’t get paid.

Somehow, I’m skeptical that this is going to get a lot of bug hunters coming forward with vulnerabilities.

Hey Kuribo!

Thanks for raising this. I think we discussed this at length in Discord. But I wanted to wrap this up formally as well. We took a look at the ToS and a lot of the great points you mentioned.

We’re going to leave the ToS unchanged, and the reason is because we have an overarching clause that essentially says that all of those concerns raised are only valid outside of Tour de SOL.

Attached an image below which acts as a catch all, to allow a broader attack scope for any Tour de SOL related security research.