Skip to main content

Audits & Security

Usual takes security seriously — it has to, because it holds hundreds of millions of dollars in user balances. This article lists the audit firms, the bug bounty program, and the full set of security practices in place.

The audit firms

Usual has been audited more than 20 times since launch by the following firms:

Firm

Focus

Type of audit

Cantina

Smart contracts

Comprehensive reviews, bug bounty host

Sherlock

Smart contracts

Audits and contests, also host of Fira bug bounty

Spearbit

Smart contracts

Peer-reviewed audits

Halborn

Smart contracts

Security assessments

Hexens

Smart contracts

Comprehensive reviews

Paladin

Smart contracts

Audit and review

Blackthorne

Smart contracts

Audit and review

Trail of Bits

Spiko smart contracts

Third-party audit of Spiko (EUTBL/USTBL provider)

PwC

Spiko financial statements

Third-party financial audit of Spiko

Each audit covers a specific scope (a new product launch, a feature upgrade, or a specific component). Reports are published on docs.usual.money.

Bug bounty — $7.5M via Cantina

Usual runs a public bug bounty program hosted by Cantina, with rewards up to $7.5 million for critical vulnerabilities. This is one of the largest bug bounties in DeFi.

Scope: Core smart contracts (USD0, EUR0, ETH0, bUSD0, USUAL, USUALx, DaoCollateral, SwapperEngine, Distribution, and related infrastructure).

How to participate:

  1. Register with Cantina as a security researcher

  2. Review the scope and rules on the bug bounty page

  3. Responsibly disclose any findings through the Cantina platform

  4. Receive rewards based on severity (critical = up to $7.5M, high = lower amounts)

Important: The $7.5M bug bounty is Usual Protocol's bounty. Fira (the fixed-rate credit platform inside Usual Credit) has a separate $500K bug bounty via Sherlock. Do not conflate the two.

Layered security practices

Beyond audits and the bounty, Usual applies additional security practices:

1. Emergency pause mechanism

Critical contracts can be paused by an emergency multisig in case of a discovered vulnerability. The pause halts new deposits and operations without freezing existing balances, buying time for investigation and coordinated response.

2. Upgrade transparency

Any contract upgrade that changes protocol behavior must go through a DAO vote via a UIP. This prevents unilateral changes and ensures the community has visibility into any modifications.

3. Open source

All Usual contracts are open source. Anyone can review the code, propose improvements, or find bugs. Transparency is the best long-term defense.

4. Audit before release

New contracts and features are audited before deployment. The audit process includes findings resolution, re-audit cycles, and community review through the governance forum.

5. Continuous monitoring

On-chain monitoring tools track contract health, unusual activity, and anomalies in real time. Usual Labs operates this monitoring and responds to alerts.

6. Incident response procedures

When an incident occurs, the response follows a standard pattern:

  1. Detection (via monitoring, bounty, or user reports)

  2. Emergency pause (if needed)

  3. Investigation and analysis

  4. Public communication through Discord, X, and the blog

  5. Coordinated fix

  6. Public post-mortem

Past incidents and responses

The most significant incident to date was the January 2025 bUSD0 floor adjustment event. It was not a smart contract exploit but a governance parameter change that caused a temporary market move. The response included:

  • Transparent communication through all channels

  • Governance-led adjustment of the floor price

  • Public post-mortem detailing the cause and the fix

Full incident archives are on the governance forum at gov.usual.money.

How to verify audit reports

  • On the Usual docsdocs.usual.money has a security page with links to all reports

  • On the audit firms' websites — each firm publishes its own reports independently

  • On-chain — contract source code can be verified on Etherscan and other block explorers

What security does not cover

Even the best security practices cannot cover:

  • User error (lost keys, phishing, wrong addresses)

  • Third-party failures outside the Usual scope (a compromised CEX where you hold USUAL)

  • Regulatory actions affecting the protocol or its providers

  • Black swan events that exceed the coverage of audits and bug bounties

Your best protection is a combination of Usual's security measures and your own operational discipline: hardware wallets, verified URLs, careful transaction review, and appropriate position sizing.

Note: If you discover a potential vulnerability, do not exploit it. Report it through the Cantina bug bounty platform for a responsible disclosure reward. The program exists precisely to incentivize disclosure over exploitation.

Technical note (for DeFi users): Audit reports are published per contract and per release. The emergency pause is controlled by a multisig with predefined quorum. Upgrade paths use a proxy pattern with governance-controlled upgrade authority. The Cantina bug bounty is live at cantina.xyz. See the docs for the full security registry.

Related articles

Did this answer your question?