Bug bounty scope gap on highest-TVL contracts

Usual (USD0 / bUSD0 / USUAL)'s assessment for RD-F-183 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Sherlock bug bounty #56 ($16M max USDC, live since April 8, 2025) covers USD0, USD0PP (bUSD0), DaoCollateral, RegistryAccess, RegistryContract, ClassicalOracle, SwapperEngine, TokenMapping, UsualM, UsualUSDtb, EulerOracle, USUAL, USUALx, DistributionModule, YieldModule — Ethereum mainnet only. L2 OFT adapters (Arbitrum, Base, BNB Chain) are explicitly out of scope. The L1OFTAdapter appears likely in scope under 'Core Stablecoin Protocol' but was not independently verifiable from the Sherlock page. Main TVL is on Ethereum mainnet contracts — all covered by the bounty. No critical scope gap on highest-TVL contracts identified.

Sources #

URL
Sherlock Bug Bounty #56 — UsualSherlock bug bounty #56 — $16M max payoutretrieved 2026-05-17
URL
The Block — Usual $16M bug bountyThe Block — $16M bounty record announcementretrieved 2026-05-17
URL
Bug Bounty | Usual Tech DocsUsual tech docs bug bounty — in-scope contracts listretrieved 2026-05-17

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usual factor RD-F-183 score green collected_at 2026-05-16 20:39:44