A user exploited a capped unwrap route in the USDS Vault, gaining ~$42.8K via arbitrage. No user funds were lost, the protocol remained secure, and safeguards worked as designed. Here’s a full recap and next steps.
Date of Incident: May 27, 2025 (06:31:59 PM UTC)
Impact: ~$42.8K in arbitrage gains (transaction)
User Funds Lost: 0
Protocol Funds Lost: 0
Protocol Downtime: None
Status: Paused and contained
What Happened?
On May 27th, a user exploited a situational vulnerability in the USD0++ deposit path within our usUSDS++ Vault, a beta vault developed on top of Sky Protocol. This vault allows users to earn stacked returns from both Sky’s sUSDS yield-bearing stablecoin and Usual’s own rewards by depositing USD0++.
The situational exploit revolved around the unwrap process where USD0++ is converted to USD0 during the deposit process. In this case, the user manipulated the vault’s deposit route, which includes a limited and capped conversion from USD0++ to USD0, and was able to profit approximately $42,800 through arbitrage.
Despite this arbitrage exploit, the vault’s capped architecture, along with automated monitoring systems, immediately limited further activity. The affected vault was paused automatically, and all core contracts and other vaults remained fully operational. No user funds were impacted, and the design of the vaults proved effective in containing the incident.
Security & Audit Trail
Although still in beta, this vault was subject to multiple security audits over the past months:
Spearbit (January and April 2025): Focused on the USD0++ Vault architecture and router.
Halborn (January 2025): Focused on the USD0++ Vault architecture and router.
Cantina (March 2025): A security competition hosted on Cantina.
These layered audits were conducted to ensure robustness before launch. While the exploit did occur, it targeted a behavioral edge case rather than a vulnerability from flawed logic. The presence of caps and guards played a vital role in mitigating risk and impact.
What’s Next
Usual is moving forward with the following action plan:
Final patch review and redeployment of the router (ETA: before June 3).
Publication of a full technical audit diff and exploit breakdown.
Final Thoughts
This event, while unfortunate, demonstrated the resilience and responsiveness of the Usual protocol. The behavioral exploit was limited in scope, quickly contained, and incurred no damage to user funds or protocol integrity. Our safeguards proved effective.
Usual remains committed to building transparent, secure, and high-yield DeFi infrastructure. We thank our community and partners for their continued trust and support.
