Bug Bounty

Why Bug Bounty?

This program aims to strengthen the security of our protocol by encouraging ethical hackers to report potential security flaws of varying degrees of impact. By leveraging the expertise of security researchers, we can proactively identify and address vulnerabilities before they can be exploited. The safety of our users and the integrity of the Usual Protocol are our top priorities, and we know that an incentivized security program is crucial to maintaining a robust and resilient ecosystem.

Bug Bounty Program Description

The program follows a severity matrix to classify findings and determine rewards based on potential impact. Critical vulnerabilities affecting our Total Value Locked (TVL) are the highest priority, while lower-severity issues are assessed accordingly.

Scope of the Bug Bounty

The Core Stablecoin Protocol is the primary focus of this bug bounty, as it directly affects the security of our TVL. The following contracts (and their imports) are in scope:

• Chains in scope

Ethereum Mainnet only. (Smart contracts on any other networks or testnets are out-of-scope.)

• Core Stablecoin Protocol

  • USD0

  • USD0PP

  • DaoCollateral

  • RegistryAccess

  • RegistryContract

  • ClassicalOracle

  • SwapperEngine

  • TokenMapping

These contracts handle stablecoin issuance, structured financial product management, swaps between Real-World Assets (RWAs) and stablecoins, and asset pricing. Their security is mission-critical.

Additional areas covered by the bug bounty include:

• RWA Token Wrapper Contracts and Euler

  • UsualM

  • UsualUSDtb

  • EulerOracle

These ERC-20 wrapper contracts enhance security for RWAs like wrappedM by M0 or USDtB by Ethena. Exploits here could impact a limited portion of TVL based on mint caps.

For any USL Euler-Vault-related code, we refer to the Cantina Bug Bounty.

• Usual Token & Distribution Module

  • Usual

  • Usual*

  • UsualX

  • DistributionModule

  • YieldModule

The Usual Protocol’s token distribution system, tied to RWA yield, is also included, though it is a lower priority than the stablecoin core.

Out of Scope

The following vulnerabilities and attack vectors are out of scope and will not be rewarded:

• Any code or contracts not deployed on Ethereum mainnet (e.g. development branches, testnet or staging deployments)

• Any known issues already identified in prior audits or otherwise documented by Usual Labs

• Front-end websites or web applications (UI/UX) – (Issues here may be eligible for discretionary rewards at the team's discretion, but are not part of the core smart contract bounty scope)

• Integrations with external protocols (e.g. Curve pools or any third-party platform integrations)

• Oracle contracts or RWA token contracts maintained by third parties (bugs in external dependency contracts are out-of-scope)

• Risks related to RWA Tokenizer contracts (including external oracles).

• Issues that require privileged access (admin/governance only actions or intended permissioned functions)

• Pure gas optimization improvements with no security impact

• Theoretical attacks requiring impractical brute-force methods or only resulting in minor rounding/precision errors

• Economic or market-manipulation attacks that are not symmetric or require extreme market turmoil conditions.

• Incorrect data or pricing information supplied by third-party oracles.

• Vulnerabilities related to malicious bridge implementations (e.g., LayerZero or Chainlink CCIP).

• Issues related to the SwapperEngine when the underlying asset isn't USDC or when Circle itself is compromised.

• Issues solely related to missing or incorrect NatSpec comments, outdated documentation, or comment hygiene

Judging

Sherlock’s security team will triage all submissions and determine severity based on impact. Usual Labs will not be judging submissions in this program. Sherlock will decide whether a reported issue is valid and what severity/reward applies, in accordance with the criteria below.

Severity Definitions

Bug Bounty Links

To take part in the program and find out more, visit the Sherlock website by following this LINK.