Fira UZR is live on Ethereum, and its security matters. We’re expanding the bug bounty for the UZR module, with rewards up to $7.5M for critical findings, clear scope, and responsible disclosure rules.
Security is not a milestone. It is an ongoing property of the system.
With the Fira UZR (Usual Zero Rate) module now deployed on Ethereum mainnet, Usual Labs is expanding its bug bounty program to reflect the importance of this market within the Usual ecosystem. UZR is a fixed-rate lending module that allows users to post bUSD0 as collateral to borrow USD0 at a fixed 0.1% interest rate, with a 0.1% annual service fee. It succeeds the earlier Euler-based Usual Stability Loan (USL) system by moving that liquidity into Usual’s own infrastructure.
This bug bounty focuses on identifying vulnerabilities in the Fira UZR smart contracts and closely related components that could compromise funds or protocol integrity. Only contracts currently deployed on Ethereum mainnet and explicitly listed as in-scope are eligible.
The contracts in scope include:
The UZR Lending Market (Fira UZR Vault)
The UZR Vault Oracle Adapter
The Permissioned Sisu Vault (bUSD0 collateral vault)
The USD0/bUSD0 Oracle and its supporting stale feed
The Fixed-Rate Interest Rate Model
These contracts are verified on Etherscan and use transparent proxy patterns, allowing researchers to review implementation logic directly.
Some supporting contracts, such as the USL Helper Migrator, Sisu Vault Factory, and ChainlinkOracleV2 Factory, are also in scope but only eligible for High or Medium severity classifications.
Other parts of the Usual protocol, including core USD0 contracts, governance, and vaults outside UZR, are explicitly out of scope for this bounty. Likewise, any code still on Euler related to the old USL system is excluded.
Severity and Rewards
The bounty uses three severity tiers: Critical, High, and Medium.
Critical severity issues are those that lead to a definite and significant loss of funds, or irreversible locking of funds at a systemic level, without reliance on extreme or external conditions. Typically, issues that could affect around 5% or more of total value locked fall into this category. Only vulnerabilities in core contracts qualify.
Critical findings are eligible for rewards of up to $7,500,000, capped at 10% of the funds at risk at the time of submission. The minimum payout for a valid critical issue is $200,000.
High severity issues are those that could cause significant loss of funds or freezing of funds, generally affecting a smaller portion of TVL (approximately 1%–5%) or requiring certain unlikely conditions to exploit. They may also involve secondary contracts that can be abused to cause large economic damage.
Medium severity issues include vulnerabilities that could lead to loss of funds or permanent lock of funds for individual users, or that degrade security or availability in limited scenarios.
High and Medium severity payouts are discretionary and determined case by case. All reports are triaged and assessed by Sherlock’s security team, which makes the final determination on validity and severity.
Lower-severity issues, such as Low or Informational, are not eligible for rewards.
Scope and Exclusions
This bounty covers only the Fira UZR module and its related contracts owned by Usual Labs and deployed on Ethereum mainnet.
Out of scope are:
Undeployed or testnet code
Issues already known from prior audits
Frontend, UI, or website vulnerabilities
Third-party integrations and external protocols
External oracle failures or off-chain processes
Real-world asset or legal risks
Intended admin or governance actions
Protocol-intended behaviors, such as forced liquidation at bUSD0 maturity
Minor gas optimizations or rounding issues
Impractical brute-force or purely theoretical attacks
Pure economic or market manipulation without code flaws
Third-party platform risks
Documentation-only issues
If an issue can only occur through intended protocol rules or expected admin permissions, it is not considered a vulnerability.
Responsible Disclosure
All submissions must follow Sherlock’s platform rules and safe harbor policies.
Critical vulnerabilities must not be disclosed publicly until:
Usual Labs has been notified and acknowledged the issue
A fix or mitigation has been deployed
Explicit permission to disclose has been granted
Researchers are asked to report issues within 24 hours of discovery. Exploitation beyond what is required to demonstrate a vulnerability, or any attempt to profit from an exploit, will result in disqualification.
Testing should be done using local environments or mainnet forks. Destructive testing on mainnet is prohibited.
Eligibility
Participants must:
Not be subject to international sanctions
Not be affiliated with Usual Labs or the Fira development team
Have legal capacity to participate
Not have previously audited this code in an official paid capacity
Agree to follow all program rules
Eligibility may be verified, and violations may result in disqualification.
Why This Matters
UZR is now live infrastructure with real capital and real users. While it has already undergone multiple audits, audits are a baseline, not an endpoint.
This bounty exists to align incentives with reality: real systems improve when they are examined in the open, under clear rules, with rewards proportional to risk.
If you specialize in smart contract security, oracle design, or fixed-rate lending systems, this program invites you to review deployed infrastructure with meaningful impact.
Security compounds when scrutiny does.
