# Bug Bounty ## **Why Bug Bounty?** This program aims to strengthen the security of our protocol by encouraging ethical hackers to report potential security flaws of varying degrees of impact. By leveraging the expertise of security researchers, we can proactively identify and address vulnerabilities before they can be exploited. The safety of our users and the integrity of the Usual Protocol are our top priorities, and we know that an incentivized security program is crucial to maintaining a robust and resilient ecosystem. ## **Bug Bounty Program Description** The program follows a **severity matrix** to classify findings and determine rewards based on potential impact. Critical vulnerabilities affecting our **Total Value Locked (TVL)** are the highest priority, while lower-severity issues are assessed accordingly. #### **Scope of the Bug Bounty** The **Core Stablecoin Protocol** is the primary focus of this bug bounty, as it directly affects the security of our TVL. The following contracts (and their imports) are in scope: * **Chains in scope** Ethereum Mainnet only. (Smart contracts on any other networks or testnets are out-of-scope.) * **Core Stablecoin Protocol** * [USD0](https://etherscan.io/token/0x73a15fed60bf67631dc6cd7bc5b6e8da8190acf5) * [USD0PP](https://etherscan.io/token/0x35D8949372D46B7a3D5A56006AE77B215fc69bC0) * [DaoCollateral](https://etherscan.io/token/0xde6e1F680C4816446C8D515989E2358636A38b04) * [RegistryAccess](https://etherscan.io/address/0x0D374775E962c3608B8F0A4b8B10567DF739bb56) * [RegistryContract](https://etherscan.io/address/0x0594cb5ca47eFE1Ff25C7B8B43E221683B4Db34c) * [ClassicalOracle](https://etherscan.io/address/0xb97e163cE6A8296F36112b042891CFe1E23C35BF) * [SwapperEngine](https://etherscan.io/address/0xB969B0d14F7682bAF37ba7c364b351B830a812B2) * [TokenMapping](https://etherscan.io/address/0x43882C864a406D55411b8C166bCA604709fDF624) These contracts handle stablecoin issuance, structured financial product management, swaps between **Real-World Assets (RWAs)** and stablecoins, and asset pricing. Their security is mission-critical. Additional areas covered by the bug bounty include: * **RWA Token Wrapper Contracts and Euler** * [UsualM](https://etherscan.io/token/0x4Cbc25559DbBD1272EC5B64c7b5F48a2405e6470) * [UsualUSDtb](https://etherscan.io/address/0x58073531a2809744d1bf311d30fd76b27d662abb) * [EulerOracle](https://etherscan.io/address/0xe1DeE60c516a8350704Ec24a6E856c9F533d1c1b) These ERC-20 wrapper contracts enhance security for RWAs like wrappedM by M0 or USDtB by Ethena. Exploits here could impact a limited portion of TVL based on mint caps. For any USL Euler-Vault-related code, we refer to the [Cantina Bug Bounty.](https://cantina.xyz/bounties/4d285eee-602e-440a-845e-25e155cec26a) * **Usual Token & Distribution Module** * [Usual](https://etherscan.io/address/0xC4441c2BE5d8fA8126822B9929CA0b81Ea0DE38E) * [Usual\*](https://etherscan.io/address/0x094B360AE512A65584d4f5Be33D68B2E08677b89) * [UsualX](https://etherscan.io/address/0x06B964d96f5dCF7Eae9d7C559B09EDCe244d4B8E) * [DistributionModule](https://etherscan.io/address/0x75cC0C0DDD2Ccafe6EC415bE686267588011E36A) * [YieldModule](https://etherscan.io/address/0x647F8987C288bf6D2fDb332918E1E14424839EDA#readProxyContract) The Usual Protocol’s token distribution system, tied to RWA yield, is also included, though it is a lower priority than the stablecoin core. #### **Out of Scope** The following vulnerabilities and attack vectors are **out of scope** and will not be rewarded: * Any code or contracts **not deployed on Ethereum mainnet** (e.g. development branches, testnet or staging deployments) * Any **known issues** already identified in prior audits or otherwise documented by Usual Labs * Front-end websites or web applications (UI/UX) – (Issues here may be eligible for **discretionary** rewards at the team's discretion, but are not part of the core smart contract bounty scope) * Integrations with external protocols (e.g. Curve pools or any third-party platform integrations) * Oracle contracts or RWA token contracts **maintained by third parties** (bugs in external dependency contracts are out-of-scope) * Risks related to RWA Tokenizer contracts (including external oracles). * Issues that require **privileged access** (admin/governance only actions or intended permissioned functions) * Pure gas optimization improvements with no security impact * Theoretical attacks requiring impractical **brute-force** methods or only resulting in minor rounding/precision errors * Economic or market-manipulation attacks that are not symmetric or require extreme market turmoil conditions. * Incorrect data or pricing information supplied by third-party oracles. * Vulnerabilities related to malicious bridge implementations (e.g., LayerZero or Chainlink CCIP). * Issues related to the SwapperEngine when the underlying asset isn't USDC or when Circle itself is compromised. * Issues solely related to missing or incorrect NatSpec comments, outdated documentation, or comment hygiene #### **Judging** Sherlock’s security team will triage all submissions and determine severity based on impact. **Usual Labs will not be judging** submissions in this program. Sherlock will decide whether a reported issue is valid and what severity/reward applies, in accordance with the criteria below. #### Severity Definitions | **Severity** | **Scope** | **Potential Impact** | | ------------ | ------------------- | ----------------------------------------------------------------------- | | **Critical** | Core contracts only | Theft or **irreversible loss** of **5%–100%** of TVL | | **High** | Entire protocol | Significant loss of funds (**1%–5%** of TVL) or equivalent impact | | **Medium** | Individual users | Loss or permanent lock of funds for **individual users** (not systemic) | ## **Bug Bounty Links** To take part in the program and find out more, visit the Sherlock website by following this [LINK](https://audits.sherlock.xyz/bug-bounties). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tech.usual.money/security-and-audits/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.