- Largest crypto bug bounty to date, surpassing Uniswap’s $15.5 million.
- Usual has undergone 20 security audits, all finding no major flaws.
- Other protocols lag behind, with max bounties at $2 million so far.
Stablecoin protocol Usual has unveiled a record-setting $16 million bug bounty programme in partnership with blockchain security firm Sherlock.
The initiative, now the largest in the crypto sector, targets critical codebase flaws that could lead to the loss or freezing of funds.
Hosted on Sherlock’s platform, the bounty will only award findings that highlight confirmed and long-term security risks, with an emphasis on realistic exploit scenarios.
The launch marks a significant escalation in the industry’s approach to on-chain safety, overtaking Uniswap’s $15.5 million bounty announced in late 2024.
Crypto security hits $16m milestone
The $16 million bounty makes Usual the new frontrunner in the blockchain security race, eclipsing all previously recorded bug bounty rewards in the decentralised finance (DeFi) ecosystem.
Prior to this, the largest bounty was offered by Uniswap Labs in November 2024, totalling $15.5 million.
Usual’s bounty sets a new precedent and comes at a time when Total Value Locked (TVL) on its platform has crossed $880 million, increasing the need for robust defence mechanisms.
Unlike standard bug bounties, the Usual-Sherlock initiative focuses on vulnerabilities with the potential to cause irreversible damage.
Only bugs that result in definite fund loss or indefinite freezing, lasting a year or more without reliance on external conditions, will qualify for rewards.
This selective approach aims to prioritise threats with the highest real-world impact.
20 security audits complete, no flaws found so far
The launch of this $16 million programme follows a string of security checks on Usual’s codebase.
According to Sherlock, the protocol has already undergone 20 audits, including a recent Sherlock-hosted audit contest that featured a $209,000 prize pool.
None of the audits identified any critical issues in the code, increasing industry confidence in the protocol’s architecture.
This latest bounty campaign is hosted entirely on Sherlock’s platform, which serves as a hub for vetting blockchain applications through community-led vulnerability hunts.
Sherlock’s role ensures that the bounty process is transparent, competitive, and efficiently managed, giving ethical hackers clear guidelines on what qualifies for a payout.
Threat detection becomes priority
As DeFi platforms grow in complexity and capitalisation, the scale and stringency of bug bounties have become key differentiators.
For Usual, this initiative signals a strategic move to reassure users and institutional partners about the integrity of its operations.
The push toward larger and more targeted bug bounty programmes underscores a maturing industry grappling with escalating threats.
In a space where vulnerabilities can be exploited in seconds, pre-launch security assurances are becoming just as critical as post-launch performance metrics.
