TL;DR
- Historic $16M Bug Bounty: Usual and Sherlock launch a record-breaking $16 million incentive to uncover critical vulnerabilities in Usual’s decentralized stablecoin protocol.
- Critical-Only Scope: The bounty targets only severe issues that could lead to significant fund losses or year-long asset freezes, ensuring high-impact security gaps are addressed.
- Reinforcing DeFi Security: With over $880 million in TVL and 20 prior audits, this move underscores Usual’s commitment to transparency and robust security in the DeFi space.
Decentralized stablecoin protocol Usual has teamed up with blockchain security firm Sherlock to launch what is being called the largest bug bounty prize in tech history. The program, which went live on Wednesday, offers a staggering $16 million to ethical hackers who can uncover a critical vulnerability in Usual’s codebase.
🔒 $16,000,000 for one bug.
Today, Usual, @sherlockdefi and @NexusMutual launch the largest bug bounty in the history of technology: a $16M reward to discover a single critical vulnerability in our codebase.
Usual is built to last. Read on 🧵👇 pic.twitter.com/ZZ1vLPrRF5
— Usual (@usualmoney) April 2, 2025
This record-breaking bounty surpasses previous industry highs, including Uniswap’s $15.5 million, LayerZero Labs’ $15 million, and Wormhole’s $10 million. Even in the broader tech sector, Google’s $12 million bug bounty program from 2022 falls short of Usual’s ambitious security initiative.
Strengthening Security in DeFi
With over $880 million in total value locked (TVL), Usual’s move underscores its commitment to security and transparency. Bug bounty programs are a common practice in the tech industry, designed to incentivize ethical hackers to identify vulnerabilities before malicious actors can exploit them.
Usual’s codebase has already undergone 20 previous audits, including a recent Sherlock audit contest that featured a $209,000 prize pool. However, no valid medium or higher vulnerabilities were found, prompting the company to take its security efforts to the next level.
Only Critical Vulnerabilities Qualify
To claim the $16 million top payout, hackers must identify vulnerabilities deemed critical by Sherlock’s standards. These include flaws that could lead to a definite and significant loss of funds or a long-term freezing of assets for over a year.
All reports must be submitted directly to the Usual bug bounty page on Sherlock’s platform. The strict eligibility criteria ensure that only the most severe security threats are addressed, reinforcing trust in Usual’s protocol.
A Bold Step for DeFi Security
Sherlock CEO Jack Sanford praised the initiative, calling it a historic bug bounty that reflects Usual’s dedication to advancing DeFi with integrity. The partnership between Usual and Sherlock highlights the growing importance of robust security measures in the DeFi space.
As the crypto industry continues to evolve, initiatives like this set a new standard for security and transparency. Whether ethical hackers uncover vulnerabilities or not, Usual’s unprecedented bug bounty sends a powerful message: security is paramount in the future of decentralized finance.
