Program Overview

USX is a fully collateralized neodollar developed by Scroll, designed to merge the best of traditional finance (TradFi) and decentralized finance (DeFi) to deliver stable, sustainable rewards. Unlike conventional stablecoins, USX introduces a new paradigm — it is private, gasless, and spendable in real life. This is made possible through Cloak, Scroll’s privacy layer, along with chain-level customizations and integrated payment partners.

For more information about USX, please visit https://www.usx.capital/

Reward Amounts

• Critical: 50,000 USD - 100,000 USD

• High: 5,000 USD - 10,000 USD

• Medium: 3,000 USD (flat)

• Payouts are capped at 10% of the affected funds at the time of submission.

Severity Definitions

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions

High Definition

• Direct loss of funds without (extensive) limitations of external conditions. The loss of the affected party must be considerable.

Guidelines for Considerable Loss:

• Users lose more than 1% and more than 10 USD of their principal.
• Users lose more than 1% and more than 10 USD of their yield.
• The protocol loses more than 1% and more than 10 USD of the fees.

Medium Definition

• Causes a loss of funds but requires certain external conditions or specific states, or a loss is highly constrained. The loss must be relevant to the affected party.
• Breaks core contract functionality, rendering the contract useless or leading to loss of funds that are relevant to the affected party.

Guidelines for Relevant Loss:

• Users lose more than 0.01% and more than 10 USD of their principal.
• Users lose more than 0.01% and more than 10 USD of their yield.
• The protocol loses more than 0.01% and more than 10 USD of the fees.

General Notes

• Sherlock’s Criteria for Issue Validity guide can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above

• A coded Proof of Concept (POC) with instructions to run the POC is required

• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage

• The link to the GitHub repo in "Scope" tab may lead to older commit. Please make sure to audit the newest commit of the codebase.

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Previous Audits

• Zellic (October 2025)

Additional Context

Protocol Resources

• GitHub
• Docs