Usual Protocol Bug Bounty

Usual Labs is launching a bug bounty for the Usual Protocol smart contracts on Ethereum mainnet. Usual Protocol issues the USD0 stablecoin, which is fully collateralized by real-world assets (RWAs). This bug bounty focuses on vulnerabilities in the Ethereum mainnet smart contracts that could affect the Usual Core Protocol. Only contracts currently deployed on mainnet are considered in-scope.

Reward Amounts

Critical

• $16,000,000 maximum payout
• Payout shall not exceed 10% of funds at risk at time of submission

High

• Discretionary - High severity payouts will be determined case-by-case by Usual Labs (amount will reflect the impact).

Medium

• Discretionary - Medium severity payouts will be determined case-by-case by Usual Labs.

Actual reward amounts will be decided upon vulnerability validation and severity assessment by Sherlock, up to the caps listed above. Lower-severity issues (e.g. Low or Informational) are not eligible for rewards under this program.

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions
• Only vulnerabilities in core contracts qualify for the Critical severity
• Vulnerabilities that could lead to theft or irreversible loss of 5%-100% of the protocol's Total Value Locked (TVL).

High Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions
• Vulnerabilities that could cause significant loss of funds (approximately 1%-5% of TVL) or equivalent impact on the protocol.

Medium Definition

• Vulnerabilities that could cause loss or permanent lock of funds for individual users (user-level impact, not systemic).

General Notes

• Sherlock's Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
• A coded Proof of Concept (POC) with instructions to run the POC is required
• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Scope

• Chains in Scope: Ethereum Mainnet only. (Smart contracts on any other networks or testnets are out-of-scope.)
• Core Contracts (Critical severity tier) - These form the primary attack surface and are eligible for the highest rewards (critical severity):
  • USD0
  • USD0PP
  • DaoCollateral
  • RegistryAccess
  • RegistryContract
  • SwapperEngine
  • ClassicalOracle
  • TokenMapping
• Additional Contracts (High/Medium severity tier) - All other deployed Usual Protocol contracts, eligible for high or medium severity findings depending on impact:
  • Usual.sol
  • EulerOracle
  • UsualX
  • Usual*
  • Distribution module
  • UsualUSDtB
  • UsualM

For any USL Euler-Vault-related code, we refer to the Cantina Bug Bounty

Out of Scope

The following items/areas are out-of-scope for this bounty (no rewards will be given for these):

• Any code or contracts not deployed on Ethereum mainnet (e.g. development branches, testnet or staging deployments)
• Any known issues already identified in prior audits or otherwise documented by Usual Labs
• Front-end websites or web applications (UI/UX) - (Issues here may be eligible for discretionary rewards at the team's discretion, but are not part of the core smart contract bounty scope)
• Integrations with external protocols (e.g. Curve pools or any third-party platform integrations)
• Oracle contracts or RWA token contracts maintained by third parties (bugs in external dependency contracts are out-of-scope)
• Risks related to RWA Tokenizer contracts (including external oracles).
• Issues that require privileged access (admin/governance only actions or intended permissioned functions)
• Pure gas optimization improvements with no security impact
• Theoretical attacks requiring impractical brute-force methods or only resulting in minor rounding/precision errors
• Economic or market-manipulation attacks that are not symmetric or require extreme market turmoil conditions.
• Incorrect data or pricing information supplied by third-party oracles.
• Vulnerabilities related to malicious bridge implementations (e.g., LayerZero or Chainlink CCIP).
• Issues related to the SwapperEngine when the underlying asset isn't USDC or when Circle itself is compromised.
• Issues solely related to missing or incorrect NatSpec comments, outdated documentation, or comment hygiene

Previous Audits

• Sherlock Audit Report on UsualUSDtb (February 2025) Sherlock Audit Report on UsualUSDtb (February 2025)
• Spearbit Audit Report on Yield Module (February 2025) Spearbit Audit Report on Yield Module (February 2025)
• OAK Security Usual USL Economic Risk Assessment (February 2025) OAK Security Usual USL Economic Risk Assessment (February 2025)
• Spearbit Audit Report on USL on Euler (February 2025) Spearbit Audit Report on USL on Euler (February 2025)
• Sherlock Audit Report on USL on Euler (February 2025) Sherlock Audit Report on USL on Euler (February 2025)
• Spearbit Audit Report on Redirect & Fee Sweep (January 2025) Spearbit Audit Report on Redirect & Fee Sweep (January 2025)
• Spearbit Cantina Report for USD0++ Adjustments (December 2024) Spearbit Cantina Report for USD0++ Adjustments (December 2024)
• Spearbit Cantina Report for UsualM Extension (December 2024) Spearbit Cantina Report for UsualM Extension (December 2024)
• Blackthorn Audit Report - WrappedM (December 2024) Blackthorn Audit Report - WrappedM (December 2024)
• Sherlock Usual V1 Audit Competition Report (November 2024) Sherlock Usual V1 Audit Competition Report (November 2024)
• Halborn Usual V1 Audit (November 2024) Halborn Usual V1 Audit (November 2024)
• Spearbit Cantina Report for Usual Pegasus Phase 2 (November 2024) Spearbit Cantina Report for Usual Pegasus Phase 2 (November 2024)
• Spearbit Cantina Report for Usual Pegasus Phase 1 (November 2024) Spearbit Cantina Report for Usual Pegasus Phase 1 (November 2024)
• L2 Token Audit conducted by Paladin (October 2024) L2 Token Audit conducted by Paladin (October 2024)
• Pegasus Audit Competition run by Cantina (June 2024) Pegasus Audit Competition run by Cantina (June 2024)
• Spearbit Cantina Report for Permissionless Launch (May 2024) Spearbit Cantina Report for Permissionless Launch (May 2024)
• Spearbit Cantina Report for Permissioned Launch (May 2024) Spearbit Cantina Report for Permissioned Launch (May 2024)

Additional Context

Usual is a decentralized stablecoin protocol designed to bring transparency, security, and long-term value redistribution to the DeFi ecosystem. By leveraging real-world asset backing, Usual offers USD0, a fully collateralized and resilient stablecoin, providing a reliable alternative to traditional fiat-backed models.
At the core of the protocol is USUAL, a governance and rewards token that aligns incentives between users and the ecosystem, distributing yield while granting holders a stake in Usual’s future. Through its innovative approach, Usual empowers its community with both financial rewards and governance participation, ensuring a stable and decentralized foundation for the next generation of on-chain finance.

Chains in scope

Ethereum, Arbitrum

Trusted protocol roles

No.

Offchain mechanisms and procedures

N/A

Protocol Resources

• Docs: https://docs.usual.money
• Gitbook: https://tech.usual.money/
• Architecture Diagram: https://tech.usual.money/overview/architecture
• Whitepaper: https://docs.usual.money/resources-and-ecosystem/whitepaper

Judging

Sherlock's security team will coordinate the triaging of all submissions and determination of severity based on impact. Usual Labs will not be judging submissions in this program. Sherlock will decide whether a reported issue is valid and what severity/reward applies, in accordance with the specified criteria.

Disclosure Policy

In Addition to Sherlocks General Disclosure Policy, the following Disclosure Policy applies.

Any critical vulnerability found in the deployed core contracts must not be disclosed publicly or to any third party until all of the following conditions are met:

• Usual Labs has been notified of the issue
• The issue has been fully resolved/fixed on mainnet
• Usual Labs has granted explicit permission to disclose the details (post-fix)

Additionally, any discovered vulnerability should be reported within 24 hours of discovery through the official submission process. Public disclosure or sharing of the exploit details prior to resolution (or not adhering to the 24-hour reporting window) may disqualify the submission from any reward.

Usual Labs may, at its discretion, offer additional compensation outside of the advertised prize pool for especially valuable discoveries that are handled according to the above disclosure rules. This is optional and would be on top of the standard bounty reward for the finding.

Eligibility

To be eligible for a reward under this program, you must meet the following criteria:

• No sanctions: You are not on any sanctions list, including the U.S. Treasury Department's OFAC Specially Designated Nationals (SDN) list.
• No affiliation with Usual: You are not a contributor (current or former) to the Usual project, and you are not employed by or directly affiliated with the Usual Labs team.
• Legal capacity: You are legally permitted to participate in bug bounty programs and to receive funds in the jurisdiction you are operating from.
• No prior auditors: You have not audited, reviewed, or assessed the Usual Protocol in an official capacity (for example, as part of a paid audit or formal security review for the team). Independent researchers only. (Researchers impacted by this, might contact Usual Labs for permission to participate)

By submitting a report, you also agree to abide by all the terms of this bug bounty program and any applicable platform (e.g., Sherlock) terms.