Security is not a milestone, but a long-term attribute that every system should continuously possess.

With the launch of the Fira UZR (Usual Zero-Interest Lending) functional module on the Ethereum mainnet, Usual Labs has expanded the existing vulnerability bounty program to signify the importance of this lending market within the Usual ecosystem. UZR is a fixed-rate lending module, allowing users to provide bUSD0 as collateral to borrow USD0 at a fixed interest rate of 0.1%, accompanied by a 0.1% annual service fee. It replaces the earlier Euler-based Usual Stability Loan (USL) system by migrating liquidity to Usual's own infrastructure.

This vulnerability bounty program focuses on identifying vulnerabilities in the Fira UZR smart contract and its critical components that could affect the security of funds and the overall integrity of the protocol. Only smart contracts currently deployed on the Ethereum mainnet and those listed below are eligible for rewards.

The contracts included are:

  • UZR Lending Market (Fira UZR Vault)

  • UZR Vault Oracle Adapter

  • Restricted access Sisu Vault (bUSD0 collateral vault)

  • USD0 / bUSD0 oracle and its supported fallback price mechanism (Stale Feed)

  • Fixed-rate model (The Fixed-Rate Interest Rate Model)

These contracts have been verified by Etherscan and use a transparent proxy model, allowing researchers to directly review the implementation logic.

Partially supportive contracts (such as USL Helper Migrator, Sisu Vault Factory, and ChainlinkOracleV2 Factory) are also within scope, but only high or medium severity vulnerabilities qualify for bounties.

Other parts of the Usual protocol, including the USD0 core contract, governance contracts, and vaults outside of UZR, are explicitly excluded from this bounty program. Any code related to the old USL system on Euler is also not within the scope of this bounty program.

Vulnerability severity and reward mechanism

The vulnerability bounty program adopts three different levels of severity: Critical, High, and Medium.

Critical severity: Causes significant financial loss or can lead to irreversible locking of funds at the system level without relying on extreme or external conditions. Generally, issues affecting 5% or more of TVL fall into this category. Only vulnerabilities present in core critical smart contracts qualify for this level.

Critical vulnerabilities can apply for rewards of up to $7.5 million, with the maximum bounty not exceeding 10% of the total affected funds at the time of submission. Validated critical issues have a minimum bounty of no less than $200,000.

High Severity: Refers to issues that may lead to significant financial loss or freezing of funds, usually with a small proportion of affected TVL (about 1%–5%), or require certain unlikely conditions to exploit. It also includes the abuse of secondary smart contracts to cause significant economic loss.

Medium Severity: Includes vulnerabilities that can lead to the loss of individual user funds or cause funds to be permanently locked, or vulnerabilities that reduce security or affect overall availability in limited scenarios.

The bounty amounts for High Severity and Medium Severity are subject to official discretion and will be determined based on specific circumstances. All reports are classified and assessed by the Sherlock security team, which makes the final determination regarding validity and severity.

Low-risk issues, such as Low or Informational issues, do not meet the reward criteria of the bounty.

Scope of the bounty and excluded items

This bounty program covers only the Fira UZR module and its related contracts owned and deployed by Usual Labs on the Ethereum mainnet.

The following content is not included in the scope of the bounty program:

  • Code that has not been deployed or exists only on test networks

  • Known issues from previous audits

  • Frontend, UI, or website vulnerabilities

  • Third-party integrations and external protocols

  • External oracle failures or off-chain processes

  • Real-world assets (RWA) or legal risks

  • Intentional administrative or governance actions

  • Expected protocol behavior (e.g., forced liquidation at bUSD0 maturity)

  • Minor gas optimizations or rounding issues

  • Unrealistic brute force or purely theoretical attacks

  • Purely economic or market manipulation behaviors with no code defects

  • Third-party platform risks

  • Problems that only exist in documentation

If the issue can only be triggered through expected protocol rules or administrative actions, it is not considered a vulnerability.

Responsible disclosure

All submissions regarding issues must comply with the platform rules of the Sherlock auditing platform and the Safe Harbor policy.

Critical vulnerabilities cannot be disclosed to the public before the following occurs:

  1. Usual Labs has been notified and confirmed the issue

  2. Remediation or mitigation measures have been deployed

  3. Obtained clear permission to disclose to the public

Researchers are required to report issues within 24 hours of discovery. Any attempts to exploit the vulnerability for purposes other than demonstration or to profit from it will result in disqualification from the bounty program.

Testing should only be conducted in local environments or mainnet forks. Destructive testing on the mainnet is not permitted.

Applicability

Participants must comply with the following:

  • Not subject to international sanctions

  • Not affiliated with Usual Labs or the Fira development team

  • Capable of participating in legal actions

  • Has not been audited for code in an official paid capacity

  • Agrees to comply with all program rules

Eligibility may be verified, and violations of the rules may result in disqualification from participation.

The importance of the vulnerability bounty program

UZR is now a functional module on the mainnet with real funds and real users. Although it has passed multiple audits, auditing is a foundation, not an endpoint.

The existence of this bounty program will align incentives with reality: only when the system undergoes scrutiny in a public and transparent environment, under clear rules, and when rewards are proportional to risks, can real improvements be achieved.

If your expertise is in the security of smart contracts, the design of price oracles, or fixed-rate lending systems, we invite you to review the facilities we have deployed through this bounty program and to make a tangible impact.

The deeper the review, the stronger the security.