Fira has gone through an extensive security review process before and since launch. This article details the audits, bug bounty, and operational controls that are part of the protocol's security posture.
External audits — 6 audits by 4 firms
Between November 2025 and March 2026, Fira's smart contracts were independently reviewed six times by four security firms.
Firm | Audit name | Date | Type |
Sherlock | Fira UZR Audit Nov25 | November 2025 | Competitive (community of researchers) |
Spearbit / Cantina | Cantina code – Fira UZR Audit Nov25 | November 2025 | Focused security review |
yAudit | Fira UZR Audit Dec 25 | December 2025 | Independent |
Hexens | Fira protocol audit(s) | 2025–2026 | Independent |
All firms reviewed the core Fira contracts: the UZR lending vault, interest rate models, oracle adapters, and supporting infrastructure.
Each firm brought a different approach:
Sherlock runs competitive audits where a community of independent researchers all review the same codebase simultaneously, broadening the attack surface covered
Spearbit/Cantina conducted a deep focused review with senior security researchers
yAudit and Hexens provided independent perspectives, particularly on edge cases, mathematical precision, and cross-contract interactions
Audit reports are publicly available at docs.fira.money.
Internal review — ~1 month by Usual Labs
In addition to the external audits, the Usual Labs engineering team ran approximately one month of internal review. This covered:
Code quality and implementation correctness
Deployment configuration and parameter setup
Access control structures
Operational security procedures
The internal review complemented external audits by applying deep domain knowledge of the protocol's intended design and behavior.
Bug bounty — up to $500,000 via Sherlock
Fira runs an active bug bounty program through the Sherlock platform. Rewards are structured by severity:
Critical — Up to $500,000 (minimum $50,000 for a valid critical finding). Critical is defined as a vulnerability that would cause definite, significant loss of funds or irreversible locking of funds at a systemic level.
High — Discretionary, determined by impact
Medium — Discretionary, determined by impact
The bug bounty covers the Fira UZR contracts deployed on Ethereum mainnet. It is Fira's own infrastructure program — separate from the broader Usual Protocol bug bounty, which covers USD0, bUSD0, and the USUAL token ecosystem.
To submit a vulnerability: use the official Sherlock platform following the program rules. All submissions go through Sherlock triage; Sherlock makes the final determination on severity and reward amounts.
Operational controls
Contract pause capability — Fira can halt key protocol functions if a critical vulnerability is detected or an exploit is suspected. The team assumes a 1-hour response window for mitigation.
Multisig wallet governance — Critical protocol actions require multiple authorized signers. No single key can unilaterally drain the protocol or change core parameters.
Monitored deployment — Contract addresses are publicly verified on Etherscan and match the audited code.
What audits don't cover
Audits reduce the probability of undiscovered vulnerabilities. They do not eliminate it.
No audit can test every possible state of an on-chain system interacting with real market conditions and external protocols. A vulnerability can remain undetected across multiple audits. The bug bounty is specifically designed to incentivize the ongoing discovery of issues that audits missed.
If you're evaluating the security of Fira: read the audit reports, understand the scope, and make an informed decision about how much capital to put at risk.
Related articles