Usual and Sherlock launch crypto's 'largest bug bounty prize in history,' offering $16 million to find a critical vulnerability

Decentralized stablecoin protocol Usual has teamed up with blockchain security company Sherlock to offer $16 million for uncovering a critical vulnerability anywhere in Usual's codebase.

Usual and Sherlock described the program as the "largest bug bounty prize in tech history," which seems to ring true, with prior bug bounties from Uniswap ($15.5 million), LayerZero Labs ($15 million) and Wormhole ($10 million) previously making up the top three in the crypto industry. In terms of the broader tech space, Google's $12 million 2022 bug bounty program appears to be the largest on record, albeit on an annual basis.

"With over $880 million in TVL, this record-breaking bounty prize is a powerful statement from Usual showing their dedication to the security of their protocol," the projects said in a statement shared with The Block.

Bug bounty programs are commonly employed in the tech industry to encourage ethical hackers to identify vulnerabilities in a codebase before malicious actors can exploit them. The Usual codebase has already undergone 20 previous audits, including a recent Sherlock audit contest, which offered a $209,000 prize pool. However, "no valid medium vulnerabilities nor higher were found," the team said.

Only critical vulnerabilities are eligible

Only vulnerabilities deemed critical will be eligible for the $16 million top payout and all reports must be submitted directly to the Usual bug bounty page on Sherlock. Sherlock's definition for this is a "definite and significant loss of funds without limitations of external conditions" or a "definite and significant freezing of funds for over one year without limitations of external conditions."

"Sherlock is privileged to host this historic bug bounty and to continue our collaboration with Usual, a partnership rooted in mutual dedication to advancing DeFi with integrity," Sherlock CEO Jack Sanford said. "Usual's rigorous approach to security complements our mission, reinforcing trust across the ecosystem."

In January, Usual's staked USD0 token dropped 8.5% from $1 to $0.915 via decentralized exchanges after the protocol intentionally adjusted the mechanics of USD0++ as part of its dual exit update, sparking community concern.

While Usual's USD0 is a U.S. Treasuries-backed stablecoin, currently still pegged to $1, the liquid staked version, USD0++, operates more like a zero-coupon bond that is locked up for four years and earns holders Usual’s native utility and governance token, USUAL, at the end of the term.

In December, Binance and Kraken led a $10 million Series A funding round for Usual, with participation from Ethena, Ondo and Echo, among others.