• Largest crypto bug bounty to date, surpassing Uniswap’s $15.5 million.
• Usual has undergone 20 security audits, all finding no major flaws.
• Other protocols lag behind, with max bounties at $2 million so far.

Stablecoin protocol Usual has unveiled a record-setting $16 million bug bounty programme in partnership with blockchain security firm Sherlock.

The initiative, now the largest in the crypto sector, targets critical codebase flaws that could lead to the loss or freezing of funds.

Hosted on Sherlock’s platform, the bounty will only award findings that highlight confirmed and long-term security risks, with an emphasis on realistic exploit scenarios.

The launch marks a significant escalation in the industry’s approach to on-chain safety, overtaking Uniswap’s $15.5 million bounty announced in late 2024.

Crypto security hits $16m milestone

The $16 million bounty makes Usual the new frontrunner in the blockchain security race, eclipsing all previously recorded bug bounty rewards in the decentralised finance (DeFi) ecosystem.

Prior to this, the largest bounty was offered by Uniswap Labs in November 2024, totalling $15.5 million.

Usual’s bounty sets a new precedent and comes at a time when Total Value Locked (TVL) on its platform has crossed $880 million, increasing the need for robust defence mechanisms.

Unlike standard bug bounties, the Usual-Sherlock initiative focuses on vulnerabilities with the potential to cause irreversible damage.

Only bugs that result in definite fund loss or indefinite freezing, lasting a year or more without reliance on external conditions, will qualify for rewards.

This selective approach aims to prioritise threats with the highest real-world impact.

20 security audits complete, no flaws found so far

The launch of this $16 million programme follows a string of security checks on Usual’s codebase.

According to Sherlock, the protocol has already undergone 20 audits, including a recent Sherlock-hosted audit contest that featured a $209,000 prize pool.

None of the audits identified any critical issues in the code, increasing industry confidence in the protocol’s architecture.

This latest bounty campaign is hosted entirely on Sherlock’s platform, which serves as a hub for vetting blockchain applications through community-led vulnerability hunts.

Sherlock’s role ensures that the bounty process is transparent, competitive, and efficiently managed, giving ethical hackers clear guidelines on what qualifies for a payout.

Threat detection becomes priority

As DeFi platforms grow in complexity and capitalisation, the scale and stringency of bug bounties have become key differentiators.

For Usual, this initiative signals a strategic move to reassure users and institutional partners about the integrity of its operations.

The push toward larger and more targeted bug bounty programmes underscores a maturing industry grappling with escalating threats.

In a space where vulnerabilities can be exploited in seconds, pre-launch security assurances are becoming just as critical as post-launch performance metrics.

• Hyperliquid has launched its general-purpose EVM dubbed HyperEVM.
• The HyperEVM integrates with Hyperliquid’s L1 consensus mechanism for security.
• The Hyperliquid Bug bounty offers up to $1M for identified bugs.

Hyperliquid, the layer-1 blockchain platform, has launched HyperEVM, its general-purpose Ethereum Virtual Machine (EVM).

The HyperEVM is live. This is a major step toward the vision of housing all finance by bringing general-purpose programmability to Hyperliquid’s performant financial system. The initial mainnet release of the HyperEVM includes:

1. HyperEVM blocks built as part of L1 execution,… pic.twitter.com/sleqk1N7T5

— Hyper Foundation (@HyperFND) February 18, 2025

This move marks a crucial step in Hyperliquid’s mission to integrate comprehensive financial programmability into its high-performance ecosystem.

HyperEVM is integrated into Hyperliquid’s L1 consensus mechanism

The HyperEVM will not operate as a standalone chain but is deeply integrated into Hyperliquid’s existing layer-1 consensus mechanism, known as HyperBFT. This integration ensures that the EVM inherits the robust security features of Hyperliquid’s base layer.

Notably, the blocks of HyperEVM are constructed as part of the L1 execution, providing seamless interaction between the EVM and native components of the Hyperliquid network. This setup allows for the HYPE token, native to Hyperliquid, to be fungible with the gas token used within the HyperEVM, enhancing the platform’s liquidity and user experience.

HyperEVM has been assigned a chain ID of 999, and a JSON-RPC server has been made available to encourage node operators and other builders to host their own servers, thereby decentralizing access to the network.

In addition, recognizing the nascent state of tooling and analytics around the new EVM, Hyperliquid is streaming raw HyperEVM block data to S3 in real-time. This approach allows developers to index the blockchain without the necessity of running their own nodes, easing the burden on new entrants to the ecosystem.

While the initial release includes key features like spot transfers between native HYPE and HyperEVM HYPE, and the deployment of the WHYPE system contract for DeFi applications, Hyperliquid plans to introduce general ERC20 transfers and precompiles in future upgrades.

This staggered rollout strategy aims to minimize disruption to existing users while adding new functionalities, demonstrating Hyperliquid’s commitment to both innovation and stability.

The Hyperliquid bug bounty program

In tandem with the EVM launch, Hyperliquid has introduced a comprehensive bug bounty program. This initiative is designed to fortify the system’s security by incentivizing developers to find and report vulnerabilities.

Rewards under the bug bounty program can scale up to 1 million USDC, depending on the severity of the security issue identified.

The program covers a broad spectrum of potential vulnerabilities, including those that might cause system outages or errors in the nodes or API servers.

For the HyperEVM on the mainnet, bug hunters can report issues related to the integration of EVM with Hyperliquid’s native functionalities.