Usual takes security seriously — it has to, because it holds hundreds of millions of dollars in user balances. This article lists the audit firms, the bug bounty program, and the full set of security practices in place.
The audit firms
Usual has been audited more than 20 times since launch by the following firms:
Firm | Focus | Type of audit |
Cantina | Smart contracts | Comprehensive reviews, bug bounty host |
Sherlock | Smart contracts | Audits and contests, also host of Fira bug bounty |
Spearbit | Smart contracts | Peer-reviewed audits |
Halborn | Smart contracts | Security assessments |
Hexens | Smart contracts | Comprehensive reviews |
Paladin | Smart contracts | Audit and review |
Blackthorne | Smart contracts | Audit and review |
Trail of Bits | Spiko smart contracts | Third-party audit of Spiko (EUTBL/USTBL provider) |
PwC | Spiko financial statements | Third-party financial audit of Spiko |
Each audit covers a specific scope (a new product launch, a feature upgrade, or a specific component). Reports are published on docs.usual.money.
Bug bounty — $7.5M via Cantina
Usual runs a public bug bounty program hosted by Cantina, with rewards up to $7.5 million for critical vulnerabilities. This is one of the largest bug bounties in DeFi.
Scope: Core smart contracts (USD0, EUR0, ETH0, bUSD0, USUAL, USUALx, DaoCollateral, SwapperEngine, Distribution, and related infrastructure).
How to participate:
Register with Cantina as a security researcher
Review the scope and rules on the bug bounty page
Responsibly disclose any findings through the Cantina platform
Receive rewards based on severity (critical = up to $7.5M, high = lower amounts)
Important: The $7.5M bug bounty is Usual Protocol's bounty. Fira (the fixed-rate credit platform inside Usual Credit) has a separate $500K bug bounty via Sherlock. Do not conflate the two.
Layered security practices
Beyond audits and the bounty, Usual applies additional security practices:
1. Emergency pause mechanism
Critical contracts can be paused by an emergency multisig in case of a discovered vulnerability. The pause halts new deposits and operations without freezing existing balances, buying time for investigation and coordinated response.
2. Upgrade transparency
Any contract upgrade that changes protocol behavior must go through a DAO vote via a UIP. This prevents unilateral changes and ensures the community has visibility into any modifications.
3. Open source
All Usual contracts are open source. Anyone can review the code, propose improvements, or find bugs. Transparency is the best long-term defense.
4. Audit before release
New contracts and features are audited before deployment. The audit process includes findings resolution, re-audit cycles, and community review through the governance forum.
5. Continuous monitoring
On-chain monitoring tools track contract health, unusual activity, and anomalies in real time. Usual Labs operates this monitoring and responds to alerts.
6. Incident response procedures
When an incident occurs, the response follows a standard pattern:
Detection (via monitoring, bounty, or user reports)
Emergency pause (if needed)
Investigation and analysis
Public communication through Discord, X, and the blog
Coordinated fix
Public post-mortem
Past incidents and responses
The most significant incident to date was the January 2025 bUSD0 floor adjustment event. It was not a smart contract exploit but a governance parameter change that caused a temporary market move. The response included:
Transparent communication through all channels
Governance-led adjustment of the floor price
Public post-mortem detailing the cause and the fix
Full incident archives are on the governance forum at gov.usual.money.
How to verify audit reports
On the Usual docs — docs.usual.money has a security page with links to all reports
On the audit firms' websites — each firm publishes its own reports independently
On-chain — contract source code can be verified on Etherscan and other block explorers
What security does not cover
Even the best security practices cannot cover:
User error (lost keys, phishing, wrong addresses)
Third-party failures outside the Usual scope (a compromised CEX where you hold USUAL)
Regulatory actions affecting the protocol or its providers
Black swan events that exceed the coverage of audits and bug bounties
Your best protection is a combination of Usual's security measures and your own operational discipline: hardware wallets, verified URLs, careful transaction review, and appropriate position sizing.
Note: If you discover a potential vulnerability, do not exploit it. Report it through the Cantina bug bounty platform for a responsible disclosure reward. The program exists precisely to incentivize disclosure over exploitation.
Technical note (for DeFi users): Audit reports are published per contract and per release. The emergency pause is controlled by a multisig with predefined quorum. Upgrade paths use a proxy pattern with governance-controlled upgrade authority. The Cantina bug bounty is live at cantina.xyz. See the docs for the full security registry.
Related articles
