Bug Bounty
In addition to regular audits, and always because security is a major concern for our protocol, we have a bug bounty program for the Usual Protocol smart contracts on Ethereum.
Last updated
Was this helpful?
In addition to regular audits, and always because security is a major concern for our protocol, we have a bug bounty program for the Usual Protocol smart contracts on Ethereum.
Last updated
Was this helpful?
This program aims to strengthen the security of our protocol by encouraging ethical hackers to report potential security flaws of varying degrees of impact. By leveraging the expertise of security researchers, we can proactively identify and address vulnerabilities before they can be exploited. The safety of our users and the integrity of the Usual Protocol are our top priorities, and we know that an incentivized security program is crucial to maintaining a robust and resilient ecosystem.
The program follows a severity matrix to classify findings and determine rewards based on potential impact. Critical vulnerabilities affecting our Total Value Locked (TVL) are the highest priority, while lower-severity issues are assessed accordingly.
The Core Stablecoin Protocol is the primary focus of this bug bounty, as it directly affects the security of our TVL. The following contracts (and their imports) are in scope:
Chains in scope
Ethereum Mainnet only. (Smart contracts on any other networks or testnets are out-of-scope.)
Core Stablecoin Protocol
These contracts handle stablecoin issuance, structured financial product management, swaps between Real-World Assets (RWAs) and stablecoins, and asset pricing. Their security is mission-critical.
Additional areas covered by the bug bounty include:
RWA Token Wrapper Contracts and Euler
These ERC-20 wrapper contracts enhance security for RWAs like wrappedM by M0 or USDtB by Ethena. Exploits here could impact a limited portion of TVL based on mint caps.
Usual Token & Distribution Module
The Usual Protocol’s token distribution system, tied to RWA yield, is also included, though it is a lower priority than the stablecoin core.
The following vulnerabilities and attack vectors are out of scope and will not be rewarded:
Any code or contracts not deployed on Ethereum mainnet (e.g. development branches, testnet or staging deployments)
Any known issues already identified in prior audits or otherwise documented by Usual Labs
Front-end websites or web applications (UI/UX) – (Issues here may be eligible for discretionary rewards at the team's discretion, but are not part of the core smart contract bounty scope)
Integrations with external protocols (e.g. Curve pools or any third-party platform integrations)
Oracle contracts or RWA token contracts maintained by third parties (bugs in external dependency contracts are out-of-scope)
Risks related to RWA Tokenizer contracts (including external oracles).
Issues that require privileged access (admin/governance only actions or intended permissioned functions)
Pure gas optimization improvements with no security impact
Theoretical attacks requiring impractical brute-force methods or only resulting in minor rounding/precision errors
Economic or market-manipulation attacks that are not symmetric or require extreme market turmoil conditions.
Incorrect data or pricing information supplied by third-party oracles.
Vulnerabilities related to malicious bridge implementations (e.g., LayerZero or Chainlink CCIP).
Issues related to the SwapperEngine when the underlying asset isn't USDC or when Circle itself is compromised.
Issues solely related to missing or incorrect NatSpec comments, outdated documentation, or comment hygiene
Sherlock’s security team will triage all submissions and determine severity based on impact. Usual Labs will not be judging submissions in this program. Sherlock will decide whether a reported issue is valid and what severity/reward applies, in accordance with the criteria below.
Severity
Scope
Potential Impact
Critical
Core contracts only
Theft or irreversible loss of 5%–100% of TVL
High
Entire protocol
Significant loss of funds (1%–5% of TVL) or equivalent impact
Medium
Individual users
Loss or permanent lock of funds for individual users (not systemic)
For any USL Euler-Vault-related code, we refer to the
To take part in the program and find out more, visit the Sherlock website by following this .