What is smart contract risk?
Smart contract risk is the possibility that the code governing Fira contains a bug, design flaw, or unintended behavior that an attacker can exploit — resulting in loss of funds. Because all transactions on Ethereum are irreversible, there is no undo if funds are drained from a contract.
What can happen
Vulnerabilities can arise from many sources:
Implementation errors in the contract code itself
Incorrect assumptions about how external protocols or tokens behave
Interactions between multiple contracts that create unexpected behaviors
Edge cases in the math or economic logic that were not anticipated
Access control mistakes that allow unauthorized actions
Oracle manipulation that enables price-based attacks
When a vulnerability is exploited, funds can be stolen or permanently locked. The protocol may be able to pause operations quickly, but any funds taken before the pause are likely unrecoverable.
How Fira mitigates this
6 independent audits by 4 firms (November 2025 – March 2026)
Firm | Type | Period |
Sherlock | Competitive audit (community of researchers) | Nov 2025 – Mar 2026 |
Spearbit / Cantina | Focused security review | Nov 2025 – Mar 2026 |
yAudit | Independent audit | Dec 2025 |
Hexens | Independent audit | 2025–2026 |
In addition, the Usual Labs engineering team conducted approximately one month of internal review covering code quality, deployment configuration, access controls, and operational security.
Bug bounty: up to $500,000 via Sherlock
Fira runs an ongoing bug bounty program through the Sherlock platform, with a maximum payout of $500,000 for critical vulnerabilities — those that would result in definite, significant loss of funds. The bounty covers the in-scope Fira UZR contracts deployed on Ethereum mainnet.
This is Fira's own infrastructure bounty. It is separate from the broader Usual Protocol bug bounty, which is not part of Fira's program.
Operational controls
Contract pause capability: Fira can halt key operations if a suspected exploit is detected
Multisig wallet governance: critical protocol actions require multiple authorized signers
1-hour response window assumption built into severity assessments
What you can do
Read the audit reports (linked at docs.fira.money) to understand what was reviewed and what findings were addressed
Don't deposit more than you're prepared to lose entirely — audits reduce risk, they don't eliminate it
Stay informed about any security announcements or pauses from the Fira team
Audits and a bug bounty reduce the probability of a smart contract exploit. They do not make it impossible. Transactions are irreversible.
Related articles