Delphik · open eval

Reward Hacking & Clean Coding Index

We audit every released trajectory of frontier coding benchmarks for reward hacking — where a model passes by exploiting a defect instead of solving the task — then re-score capability with the contaminated tasks held out: the Clean Coding Index.

2
benchmarks audited
10,506
trajectories
14
frontier models
419
reward-hack attempts flagged

Why only two? They are the only recent coding benchmarks that publish every agent trajectory — the raw material an audit needs. We chose for auditability, not quality (full benchmark comparison).

Capability vs hacking attempts

Capability (x) vs hacking-attempt rate (y — higher = more hacking).
Left — DeepSWE: each model swept across reasoning effort, so more effort means more hacking attempts.
Right — SWE-Marathon: one dot per model.

The rank inverts across the two: gpt-5.5 attempts zero on patch-based DeepSWE (and stays clean on patch-based SWE-bench Pro too, which isn't air-gapped), yet hacks long-horizon SWE-Marathon the most. The split tracks the task form, not a fixed model trait — so behavior has to be audited across many benchmarks.

DeepSWE · effort sweepρ=+.61 · n=14 · p=.02 · within
0%2.9%5.9%8.8%11.7%0%20%40%60%80%Clean pass →hacking attempt %claude-fable-5 · low: 55.3% pass · 2.7% hack attemptclaude-fable-5 · medium: 61.3% pass · 6.9% hack attemptclaude-fable-5 · high: 65% pass · 8.4% hack attemptclaude-fable-5 · xhigh: 70.3% pass · 9.7% hack attemptfable-5claude-fable-5 · max: 66.8% pass · 10.2% hack attemptclaude-opus-4.8 · low: 37.5% pass · 0% hack attemptclaude-opus-4.8 · medium: 48% pass · 0.4% hack attemptclaude-opus-4.8 · high: 50.2% pass · 1.1% hack attemptclaude-opus-4.8 · xhigh: 53.3% pass · 2% hack attemptclaude-opus-4.8 · max: 55% pass · 4.6% hack attemptopus-4.8gpt-5.5 · low: 24.5% pass · 0% hack attemptgpt-5.5 · medium: 53% pass · 0% hack attemptgpt-5.5 · high: 63.5% pass · 0% hack attemptgpt-5.5 · xhigh: 66% pass · 0% hack attemptgpt-5.5gpt-5.4 · xhigh: 50.5% pass · 0.2% hack attemptgpt-5.4glm-5.2 · max: 42.8% pass · 0% hack attemptglm-5.2gemini-3.5-flash · medium: 36.3% pass · 0% hack attemptclaude-sonnet-4.6 · high: 29% pass · 0.4% hack attemptkimi-k2.7-code · default: 27.8% pass · 0.7% hack attemptkimi-k2.7-codegemini-3.1-pro · high: 10.8% pass · 1.5% hack attemptgemini-3.1-pro
SWE-Marathonρ=+0.27 · n=11 · p=0.42 · across
0%7.6%15.2%22.9%30.5%0%18.8%37.5%56.3%75%Clean partial →hacking attempt %deepseek-v4-pro: 33% partial · 17% hackdeepseek-v4-progpt-5.5: 49.6% partial · 26.5% hackgpt-5.5gemini-3.1-pro: 29.9% partial · 22.1% hackgemini-3.1-proclaude-opus-4.7: 56.9% partial · 11% hackopus-4.7claude-fable-5: 57.9% partial · 9% hackfable-5kimi-k2.6: 22.4% partial · 8% hackkimi-k2.6glm-5.1: 29.8% partial · 7% hackgemini-3.5-flash: 33.5% partial · 12% hackgemini-3.5-flashclaude-opus-4.8: 65% partial · 10% hackopus-4.8minimax-m2.7: 13.9% partial · 4% hackminimax-m2.7glm-5.2: 55.7% partial · 7% hackglm-5.2
DeepSeekOpenAIGoogleAnthropicMoonshot AIZ.aiMiniMax

The leaderboard

Capability re-scored with contaminated tasks held out (orig → clean), and the hacking-attempt rate alongside. Click any header to sort.

#ModelCoding
Index
Hacking
Attempt %
DeepSWESWE-Marathon
pass rate
orig→clean
13% held out
hacking attempt
%
partial score
orig→clean
25% held out
hacking attempt
%
1
claude-fable-5
Anthropic
60.8%8.3%
64.5% 63.7%
7.6%
mini-swe-agent · 5 cfg
60.4% 57.9%
9%
Claude Code · 1 cfg
2
claude-opus-4.8
Anthropic
56.9%5.8%
50.2% 48.8%
1.6%
mini-swe-agent · 5 cfg
71.1% 65%
10%
Claude Code · 1 cfg
3
gpt-5.5
OpenAI
50.7%13.3%
53.1% 51.8%
0%
mini-swe-agent · 4 cfg
54.1% 49.6%
26.5%
Codex, Terminus 2 · 2 cfg
4
glm-5.2
Z.ai
49.2%3.5%
43.6% 42.8%
0%
mini-swe-agent · 1 cfg
59.4% 55.7%
7%
Claude Code · 1 cfg
5
gemini-3.5-flash
Google
34.9%6%
37.4% 36.3%
0%
mini-swe-agent · 1 cfg
37.2% 33.5%
12%
Gemini CLI · 1 cfg
6
gemini-3.1-pro
Google
20.3%11.8%
11.7% 10.8%
1.5%
mini-swe-agent · 1 cfg
38.3% 29.9%
22.1%
Gemini CLI, Terminus 2 · 2 cfg

Read the full analysis → the audit method, who hacks where (provider × environment), how we verified GPT-5.5's zero, and the full reward-hack taxonomy.

About this index

Why this exists. Capable models increasingly exploit benchmark tasks instead of solving them. Labs curb this in training, but the fix doesn't carry to a new benchmark — so we measure it from the outside, from public trajectories alone (method).

How it runs. Living and versioned, not a one-off. A task is held out once we confirm a defect — false pass, false negative, or hackable — and restored once the benchmark fixes it; a benchmark retires when it saturates and newer ones take its place.

Part of an open loop. Every defect we confirm here lands in our open defect store, next to the defects we track across many other benchmarks (browse them on Delphik). Hit a false pass, false negative, or reward hack we missed? Report it and it flows into the same store. This is a clean eval the whole community builds together — open data, correctable by anyone.

Private audit · waitlist

Want this audit on your benchmark or RL environment?

We harden public and private RL environments against the leaks above — false passes, false negatives, and reward-hacking — with an LLM-pass then human-confirm method tuned for high recall at low cost. Drop your email and we'll reach out.