OpenHack is now live on Base Mainnet. We built GitVault because AI agents need wallets, and every AI agent wallet today is one leaked private key away from being drained. Even if the key is exposed, the vault stays locked. Funds only move when both signatures are present: cryptographic ownership plus verified social identity. We deployed a vault, funded it with 504 gitUSDC, and published the owner private key publicly at gitbank.io/openhack. If you can drain the vault, keep the funds. No time limit. No rules. Here is the private key: 0x1a40cabe6d39ff1d94d6d5c7a78dd32c8b29d4ae3e801573d7d48cb05632ac1d Vault address: 0x639df7b02daf540f145b4a9aab76e9896af7dd0c Your attack surface: - Break secp256k1 theoretically possible, practically not - Replay a past relayer sig blocked by monotonic nonce and 5-min deadline - Social engineer the GitHub or X account if you can do that, 504 gitUSDC is the least interesting thing you unlocked - Find a smart contract bug contract is verified and public on Basescan GitVault requires two independent ECDSA signatures before executing any vault operation. Owning thsecp256k1 key gives you only the first one. The second comes from the Gitbank relayer server, which will only sign after verifying a real command from the vault owner's GitHub account or X account. No exception. When you try to call gitUnshield with just the owner key, the contract reverts: "GitVault: invalid relayer sig" The private key is not enough. Hack it if you can. gitbank.io/openhack

Introducing OpenHack. An Open Source Agentic Security Scanner that hunts and verifies vulnerabilities using open source models exclusively. Upto 40x cheaper, it is on par with Claude Opus 4.6 on CVE-Bench. Check it out at openhack.com!