Usual Labs
Usual is a secure and decentralized fiat-backed stablecoin issuer that redistributes value and ownership through the $USUAL token. Take control, make an impact, and grow with us.
Details
Scope
On what chains are the smart contracts going to be deployed?
Ethereum, Arbitrum.
https://tech.usual.money/smart-contracts/contract-deployments
If you are integrating tokens, are you allowing only whitelisted tokens to work with the codebase or any complying with the standard? Are they assumed to have certain properties, e.g. be non-reentrant? Are there any types of weird tokens you want to integrate?
Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?
No.
Are there any limitations on values set by admins (or other roles) in protocols you integrate with, including restrictions on array lengths?
No.
Is the codebase expected to comply with any specific EIPs?
We not consider compliance to EIP's relevant unless they pose an attack vector.
Are there any off-chain mechanisms involved in the protocol (e.g., keeper bots, arbitrage bots, etc.)? We assume these mechanisms will not misbehave, delay, or go offline unless otherwise specified.
N/A
What properties/invariants do you want to hold even if breaking them has a low/unknown impact?
Please discuss any design choices you made.
Please provide links to previous audits (if any).
https://tech.usual.money/security-and-audits/audits
Previous Sherlock audit Euler EVK & UsualUSDtB reports, plus two additional audit reports to be added until finalization ( latest 26/02/2025)
Please list any relevant protocol resources.
Gitbook: https://tech.usual.money/
Architecture Diagram: https://tech.usual.money/overview/architecture ( to be updated with usualM)
Whitepaper: https://docs.usual.money/resources-and-ecosystem/whitepaper
Additional audit information.
If there is no Proof of Concept or equivalent proof added, findings are not accepted.
RWA Tokenizer Risk ( oracles etc.) out of scope (including min/maxAnswer checks on Chainlink).
Malicious bridges (layerzero/chainlink) out of scope.
Curve Protocol is out of scope.
Multisignature wallet hacks.
No natspec/comments/harness/mocks/outdated documentation files in code repository count as findings.
Economical attacks only if they are at minimum symmetric (e.g. I spend $1 to gain at least $1).
Bugs or incorrect behavior in third party code like RWA token implementations or other protocols are out of scope.
Incorrect data supplied by third party oracles.
Issues related to deploy scripts or tests.
Any vulnerability acknowledged or not acknowledged and not fixed by the protocol team (previous audit&competition reports) is invalid.
Attacks which include calls to permissioned smart contract functions or requires the attacker to hold a specific role in the Usual protocol are out of scope.
Design choices related to the protocol are out of scope.
Extreme market turmoil vulnerability are out of scope.
Brute force attacks are out of scope.
Tokens/Tokentypes that are not not actually used by the Usual Protocol yet are out of scope.
Any type of user errors, like transfers to address(0), that can be easily prevented in the frontend
issues based on Sybil attacks out of scope.
Issues related to centralization risks are out of scope.
Issues related to SwapperEngine if the underlying isn't USDC / Circle is compromised are out of scope.
Contracts without initializers: If you find a contract without an initializer that appears to need one, please note that:
- The initializer was likely intentionally removed to avoid bloating contracts
- These contracts are typically in the mock directory
- Their usage can be verified in the test files
Contracts with unexecuted initializers: For contracts that still have initializers that haven't been executed:
Please verify the default values to ensure they're appropriate
- Only in these cases should you flag an issue
In a nutshell, the absence of an initializer is generally not an issue worth reporting unless it is present and there is issue in it
------- Regarding Findings/Severity ( TVL is assumed at ONE BILLION USD ) -------
Severity Matrix for Core Stablecoin Protocol + RWA Token Wrapper Contracts ( UsualUSDtB, UsualM)
Contracts + imported files
USD0
USD0PP
DaoCollateral
RegistryAccess
RegistryContract
ClassicalOracle minus UsualOracle
SwapperEngine
UsualUSDtB
UsualM
High
An issue that results in the loss, theft, waste, or permanent freezing of 5%-100% of the total TVL.
Medium
An issue that results in the loss, theft, waste, or permanent freezing of 0.5%-5% of the total TVL.
An issue that results in the theft of 0.01%-5% of the total TVL.
Out of Scope:
Issues that can be remedied by RWA Token Governance / Usual Token Governance burning and minting (e.g. frozen assets after an attack) are out of scope.
Severity Matrix for Usual Token & Distribution Module, UsualX, Usual*, Airdrop ( everything outside of the files above)
High findings here aren't considered in unlocking the high pot. 50% of the finding value of Core Protocol/Wrapper
High
An issue that results in the theft of 10%-100% of the current Usual supply.
Medium
An issue that results in the theft of 5%-10% of the current Usual supply.
----- REGARDING FINDINGS ON DEPLOYED CONTRACTS -----
Any vulnerability involving already deployed core contracts must not be disclosed publicly or to any other person, entity or email address before Usual Labs has been notified, has fixed the issue, and has granted permission for disclosure in the competition. In addition, disclosure must be made within 24 hours following discovery of the vulnerability. Additional compensation outside of the competition prize pool can also be granted optionally by Usual Labs.
Total Rewards
Contest Pool
Lead Senior Watson
Judging Pool
Lead Judge
180,000 USDC
20,000 USDC
2,500 USDC
7,000 USDC
Status
Scope
Start Time
End Time
Judging Rules
