defirisk.co
rubric v1.7.0

Cap (cUSD / stcUSD)

Decentralised credit marketplace issuing cUSD (dollar-denominated stablecoin, 1:1 redeemable) and stcUSD (yield-bearing savings token) on Ethereum. Operators borrow pool assets to generate yield; underwriters lock capital via Shared Security Networks (SSN: Symbiotic and EigenLayer) as performance bonds and slashing-backed insurance. Yield is sourced from operator hurdle rates plus idle-reserve deployment into Aave V3. Novel SSN-backed yield stablecoin architecture; closest analogs are Ethena (synthetic-dollar / delta-neutral) and EigenLayer/Symbiotic AVS (restaking-primitive credit). cUSD and stcUSD bridge to MegaETH via LayerZero OFT.

Sector yield
TVL $342.2M
Reviewed May 17, 2026
Factors 184
Categories 13
Risk score 26.9
DeploymentsEthereum · $342.2M
01

Risk profile at a glance

0 red · 5 yellow · 8 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Green 9 25 of 25
RD-F-001 yellow Audit scope mismatch 9 audit engagements confirmed (Zellic 2025-03-17, ToB 2025-05-15, Electisec 2025-05-25, Spearbit 2025-06-23, Recon 2025-07-04, Sherlock 2025-09-03, Certora 2025-09-15, Spearbit PR review 2025-11-27, Octane 2026-03-24). Sherlock competitive audit commit confirmed: 0a57fbfdba7f54e516b5ed412548b7e415f3739d. No commit SHAs published on docs.cap.app/resources/audits — PDFs inaccessible for SHA extraction. Octane 2026-03-24 is the latest audit; main branch commits extend to 2026-05-08 (44 days of post-audit development including FalconXUSDC Oracle, Tempo Bridge, OFT settings). check-proxy-implem.txt shows one implementation address mismatch (expected 0xce21... vs actual 0x568A...) consistent with a legitimate upgrade. Score yellow due to post-audit development gap and inability to verify all audit-to-bytecode commit SHA matches. RD-F-006 yellow Audit-to-deploy gap Initial Zellic audit signed off 2025-03-17; cUSD/stcUSD deployed 2025-07-08 per Etherscan (block 22,874,016) = 113-day gap (yellow threshold: 61-180 days). Later audits (ToB May, Spearbit June, Sherlock July-Sept 2025) tighten the gap for their respective commits. Post-Octane (2026-03-24) development through May 2026 introduces a new gap for the most recent code changes. RD-F-009 yellow Formal verification coverage Certora engaged for 'EigenAVS' scope (EigenLayer SSN component) — dated 2025-09-15. Per U-rule U8 in invocation: this is component-scoped FV of the EigenLayer integration only, NOT full-protocol FV. Core protocol logic (Vault, Lender, cUSD/stcUSD tokens, AccessControl, Oracle) has no documented formal verification. At $342M TVL, component-only FV with no core protocol FV coverage is yellow (between 20-79% of declared critical invariants). RD-F-014 yellow Reentrancy guard on external-calling functions No explicit nonReentrant modifier found in Vault.sol, Lender.sol, VaultLogic.sol, BorrowLogic.sol, FractionalReserve.sol, or SymbioticNetworkMiddleware.sol. BorrowLogic.sol: debt token minted and reserve debt incremented BEFORE external calls to IVault.borrow() and IDelegation.setLastBorrow() — partial CEI compliance, but delegation call is post-state. ERC4626 paths in StakedCap.sol have OZ-provided protections. Multiple Tier-1 audits (ToB, Spearbit, Sherlock) covered borrow/mint/redeem paths. No reentrancy finding has been publicly disclosed, suggesting auditors accepted the pattern or found mitigations. Yellow due to absence of explicit guards without PDF confirmation of accepted-risk status. RD-F-024 yellow Code complexity vs audit coverage Cap has ~200+ Solidity files across 15+ directories (token, lendingPool, vault, oracle, delegation/eigenlayer, delegation/symbiotic, access, gelato, feeAuction, feeReceiver, fractionalReserve, etc.; 749 commits). The Sherlock competitive audit covered 47 files. The codebase is substantial for a 9-month-old protocol; 9 engagements provide reasonable coverage cadence but exact LOC/audit-day ratio is not available without PDF access. The ratio of ~200 contract files to 9 audits suggests yellow complexity coverage (adequate but not fully verifiable). RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Sherlock Bug Bounty ($1M USDC max, audits.sherlock.xyz/bug-bounties/114, live since 2025-10-24) exists. The bug bounty scope list is not fully accessible via WebFetch (Sherlock SPA). The Electisec 'LZ vault' audit (2025-05-25) confirmed the OFT lockbox component was separately audited. OFTLockboxUpgradeable.sol bridges material TVL to MegaETH, Monad, Tempo, Katana chains. If this contract is not explicitly in the Sherlock bug bounty scope, it would be a material scope gap (per F183 definition — highest-TVL contracts explicitly out of scope). Yellow assigned pending curator verification of the full in-scope contract list against OFTLockboxUpgradeable.sol. No Immunefi program exists as a fallback. RD-F-003 gray Resolved-without-proof findings All 9 audit PDFs are inaccessible via WebFetch (binary format). No public finding resolution tracker exists on docs.cap.app. Cannot verify that all medium/high findings from Zellic, ToB, Spearbit, or Sherlock audits have corresponding on-chain resolutions. Gray due to inaccessible primary evidence. Curator must review PDFs directly. RD-F-010 gray Static-analyzer high-severity count slither.config.json exists (medium+high severity, excludes lib/test/script) but no published Slither CI output is publicly accessible. BorrowLogic.sol shows a CEI concern (external calls after some state updates) that Slither would flag. Audit PDFs inaccessible — cannot confirm static analysis results. Gray due to no programmatic tool output available for review. RD-F-016 gray Divide-before-multiply pattern No published Slither output available. Recon invariant testing (2025-07-04) likely addressed mathematical invariants including divide-before-multiply. Source inspection shows use of explicit scaling patterns in BorrowLogic/VaultLogic but cannot confirm without tool output. Gray pending programmatic Slither run.
RD-F-002 green Audit recency Most recent audit: Octane 2026-03-24 (54 days before 2026-05-17 assessment). Within the green threshold (≤365 days). The Spearbit PR review 2025-11-27 also provides recent post-launch review coverage.
RD-F-004 green Audit count 8 distinct audit firms confirmed: Zellic, Trail of Bits, Electisec, Spearbit (×2 engagements = 1 firm), Recon, Sherlock, Certora, Octane. All confirmed via github.com/cap-labs-dev/cap-audits directory. Well exceeds the ≥2 distinct firms green threshold.
RD-F-005 green Audit firm tier Tier-1 firms engaged: Trail of Bits (2025-05-15 full review), Spearbit (2025-06-23 LSR + 2025-11-27 PR review), Certora (2025-09-15 EigenAVS FV). Zellic and Electisec are Tier-2 established firms. The protocol has clear multi-Tier-1 coverage — Trail of Bits and Spearbit are unambiguously Tier-1 per taxonomy registry.
RD-F-007 green Bug bounty presence & max payout Sherlock Bug Bounty live since 2025-10-24, max payout $1,000,000 USDC (audits.sherlock.xyz/bug-bounties/114). Exceeds the green threshold (≥$500K). No Immunefi program exists per data cache.
RD-F-008 green Ignored bounty disclosure No prior security incidents confirmed for Cap protocol (zero exploits; web search for 'cap labs exploit 2025 2026' returned no incident results). Data cache rekt entries (Radiant, Rari, Midas) are name-collision false positives per profile §10. No post-mortem to evaluate.
RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT opcode found in any inspected contract (CapToken.sol, Vault.sol, Lender.sol, StakedCap.sol, AccessControl.sol, OFTLockboxUpgradeable.sol, EigenAgentManager.sol, SymbioticNetworkMiddleware.sol). Solidity 0.8.28 replaces SELFDESTRUCT with SENDALL semantics (EIP-6780) — the destructive behavior is not available in normal contract calls.
RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall target found in any inspected contract. UUPS upgrade pattern uses internal OZ delegation (proxy → implementation via EIP-1967 slot). No external delegatecall with user-supplied target in Vault.sol, Lender.sol, CapToken.sol, or AccessControl.sol.
RD-F-013 green Arbitrary call with user-controlled target No arbitrary .call(target, data) with user-controlled target found in inspected contracts. VaultLogic.rescueERC20 uses SafeERC20.safeTransfer on a named asset address (not user-controlled). AccessControl functions are role-gated. No LIFI-class arbitrary call pattern found.
RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Protocol accepts ERC-20 stablecoins only (USDC primarily). No ERC-777, ERC-1155, or ERC-721 token integrations identified in Lender.sol or Vault.sol. No callback-capable token standard integration found.
RD-F-017 green Mixed-decimals math without explicit scaling Protocol handles USDC (6 decimals) as primary asset. Source inspection of VaultLogic.sol and BorrowLogic.sol shows explicit scaling patterns (RAY/WAD normalization). Sherlock competitive audit (47 files, July 2025) would have flagged decimal mismatch. No public finding of this nature disclosed.
RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.x compiler default overflow protection (all arithmetic reverts on over/underflow). Trail of Bits and Spearbit (Tier-1 firms) would have flagged systematic signed/unsigned confusion. No public finding of this nature disclosed across 9 audit engagements.
RD-F-019 green ecrecover zero-address return unchecked No raw ecrecover calls without address(0) guard found. OFTPermit.sol and L2TokenUpgradeable.sol inherit ERC20Permit from OpenZeppelin v5.2.0, which uses ECDSA.recover internally with proper zero-address handling. OFTPermit.sol also has an explicit check: if (_to == address(0x0)) _to = address(0xdead).
RD-F-020 green EIP-712 domain separator missing chainId OFTPermit.sol and L2TokenUpgradeable.sol inherit ERC20Permit from OpenZeppelin v5.2.0. OZ ERC20Permit implements EIP-712 domain separator correctly including chainId. No custom EIP-712 domain separator found without chainId field.
RD-F-021 green UUPS _authorizeUpgrade correctly permissioned All inspected UUPS implementation contracts implement _authorizeUpgrade() with access control: CapToken.sol (checkAccess(bytes4(0))), StakedCap.sol (checkAccess(bytes4(0))), Lender.sol (checkAccess(bytes4(0))), EigenAgentManager.sol (checkAccess pattern), SymbioticNetworkMiddleware.sol (checkAccess(bytes4(0))), OFTLockboxUpgradeable.sol (onlyOwner). All upgrade paths require authorization via the AccessControl contract chain (Timelock → dev multisig).
RD-F-022 green Public initialize() without initializer modifier All inspected UUPS implementation contracts: (1) call _disableInitializers() in constructor, AND (2) use the 'initializer' modifier on initialize(). Confirmed for: CapToken.sol, StakedCap.sol, Lender.sol, AccessControl.sol, EigenAgentManager.sol, SymbioticNetworkMiddleware.sol, OFTLockboxUpgradeable.sol, L2TokenUpgradeable.sol, CapInterestHarvester.sol. No unprotected initialize() found across 9 inspected implementation contracts.
RD-F-023 green Constructor calls _disableInitializers() _disableInitializers() confirmed in all 9 inspected UUPS proxy implementation constructors (CapToken.sol, StakedCap.sol, Lender.sol, AccessControl.sol, EigenAgentManager.sol, SymbioticNetworkMiddleware.sol, OFTLockboxUpgradeable.sol, L2TokenUpgradeable.sol, CapInterestHarvester.sol). Pattern is consistent across the entire codebase.
Governance & admin Yellow 24 24 of 24
RD-F-041 red Rescue/emergencyWithdraw without timelock [★ CRITICAL] rescueERC20(address _asset, address _receiver) exists in Vault.sol gating cUSD/stcUSD TVL, callable by whoever holds the per-selector role via checkAccess(). The AccessControl system allows direct execution by the role-holder without mandatory Timelock delay on the rescue call itself. Deployer EOA (0xc1ab...b52) holds Timelock EXECUTOR role independently (can execute scheduled operations without Safe co-sig). Protocol docs confirm 'rescue ERC20' as an admin emergency permission. Single-tx drain risk if role is currently held by an address other than the dev multisig. RD-F-028 yellow Low-threshold multisig vs TVL 3-of-5 threshold at $342M TVL is within peer norm minimum. However, both Safes share identical signer sets (same 5 persons control both dev admin and token ownership) — effective admin surface is one 3-of-5 group with no real separation of concerns. RD-F-031 yellow Signer rotation recency No signer rotation events identified. Safe deployed ~1 year ago with consistent 3-of-5 and same 5 signers. No threshold reduction events. Yellow for lack of confirmed recent rotation (not red — no adverse direction of change identified). RD-F-032 yellow Timelock duration on upgrades Timelock delay = 86,400 seconds = 24 hours. Per rubric: green = ≥48h, yellow = 24–47h. Cap's 24h delay is at the yellow boundary. RD-F-033 yellow Timelock on sensitive actions Upgrades route through Timelock (confirmed via Upgraded events). However, rescueERC20 and pause/unpause appear admin-executable without mandatory Timelock routing on the function call itself — the AccessControl system grants per-selector roles, and role-holders can call functions directly once granted. 3-of-5 action types timelocked (upgrade, param-change), but rescue/pause direct execution path exists. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader No dedicated guardian multisig distinct from the upgrader. Pause functionality flows through the same AccessControl system as upgrades. CANCELLER_ROLE on Timelock is held by same entity as PROPOSER_ROLE (dev multisig). RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle AccessControl uses per-function-selector roles theoretically enabling separation. In practice, all roles are controlled by DEFAULT_ADMIN_ROLE (dev multisig via Timelock). Fee auction and oracle are separate contracts but their role admin is the same single group. RD-F-040 yellow Emergency-veto multisig present No distinct emergency-veto multisig. CANCELLER_ROLE on TimelockController held by the dev multisig (same as PROPOSER_ROLE). Cancel authority is not independent from proposer. RD-F-042 yellow Admin has mint() with unlimited max cUSD mint() is user-facing (no admin-only restriction, only whenNotPaused), subject to per-asset deposit caps. CAP governance token has no admin mint function in ABI. stcUSD is user-facing ERC4626 vault. Per-asset deposit caps are admin-adjustable via setDepositCap() without confirmed timelock requirement on the cap-setting itself. RD-F-029 gray Multisig signers co-hosted Signer addresses are anonymous; no public identity attestations found. ASN/custodian co-hosting inference not possible without OSINT identity attribution. Routed to dev-identity-analyst. RD-F-030 gray Hot-wallet signer flag Signer addresses not tied to public identities. Cannot assess hardware vs. hot-wallet signing patterns from available data. Behavioral heuristic requires Chainalysis-style feed. RD-F-036 n/a Flash-loanable voting weight No on-chain governance exists. No Governor contract. No Snapshot space. No voting mechanism. CAP token deployed but no voting/governance contract deployed as of assessment date. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain governance. Not applicable. RD-F-038 n/a Proposal execution delay < 24h No on-chain governance proposal mechanism. Timelock is multisig-controlled, not community-proposal-based. Not applicable. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain governor. No user-supplied proposal calldata path. The Safe proposes specific calldata to the Timelock — no open proposal mechanism allowing arbitrary delegatecall/call targets. RD-F-044 gray Admin wallet interacts with flagged addresses Cannot assess without Chainalysis/TRM cluster feed. No flagged-address interaction data available. RD-F-045 gray Constructor args match governance proposal No on-chain governance proposal for contract deployments. Multisig-controlled deploy has no community proposal to compare constructor args against. RD-F-047 gray Governance token concentration (Gini) CAP governance token (0x9999...9999) deployed ~8 days ago. No holder distribution data available. No Governor contract means concentration doesn't directly translate to governance attack vector at this time.
RD-F-025 green Admin key custody type multisig+timelock: dev Safe (0xb8FC...8793, 3-of-5) routes through OZ TimelockController (86400s). DEFAULT_ADMIN_ROLE on AccessControl held by dev multisig via Timelock.
RD-F-026 green Upgrade multisig signer configuration (M/N) Dev multisig (0xb8FC...8793): threshold=3, owners=5. Cap Token Owner multisig (0x80A2...eA): threshold=3, owners=5 (same signers). 3-of-5 configuration on both.
RD-F-027 green Single admin EOA No EOA holds unilateral upgrade authority. Deployer EOA (0xc1ab...b52) holds only Timelock EXECUTOR role (not proposer). Recent on-chain trace shows deployer routes via Safe execTransaction, not direct Timelock.execute() calls.
RD-F-043 green Admin = deployer EOA after 7 days Admin role (DEFAULT_ADMIN_ROLE on AccessControl) is held by dev multisig, not the deployer EOA. Deployer EOA retains only Timelock EXECUTOR role by design from launch. Grant/revoke operations on AccessControl were performed via the Timelock from launch.
RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts verified on Etherscan: cUSD proxy (0xcCcc...cccC), stcUSD proxy (0x8888...8888), Lender (0x1562...01FC), AccessControl (0x7731...2c683), TimelockController (0xD823...9ab). Implementation contracts also verified.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts identified holding material value (>$100k). The archive/ directory in GitHub repo exists but no deployed deprecated proxies with user funds found.
Oracle & external dependencies Green 17 17 of 17
RD-F-050 yellow Dependency graph (protocols depended upon) Full dependency graph confirmed: Aave V3 Core Pool (>80% of $342M TVL = $273M+ idle USDC deployed per Aave blog and stabledash reporting); Symbiotic (Network 0x98e52Ea7..., Middleware 0x09A3976d... UUPS, VaultFactory 0x0B92300C...); EigenLayer AVS (EigenAgentManager 0x08A728CF... UUPS, 17.5-day allocation delay); Morpho (stcUSD oracle adapter + listing); LayerZero v2 OFT (MegaETH bridge). Yellow because Aave V3 >80% concentration creates existential single-protocol exposure. All dependency addresses confirmed from docs. RD-F-051 yellow Fallback behavior on oracle failure PriceOracle.sol implements primary/backup fallback: if primary oracle returns zero or is stale (block.timestamp - lastUpdated > staleness[asset]), backup oracle is queried. If both fail, reverts with PriceError. Docs confirm mint/burn disabled on stale prices. Yellow because RateOracle.sol _getRate() silently returns (0, 0) on adapter call failure rather than reverting — a zero rate propagating through interest calculations could cause mispriced borrowing if not handled by callers. RD-F-052 yellow Breakage analysis per dependency Aave V3 failure: >80% USDC reserves unavailable for redemption; fractional reserve gap; redemption run risk. Symbiotic slash failure: operator default uncompensated; stcUSD yield impaired; peg risk. Oracle failure: mint/burn halted (operational, not direct loss if no manipulation). LayerZero DVN compromise: forged lzReceive; unbacked cUSD/stcUSD minted on MegaETH; collateral drain. Morpho adapter: stcUSD mispriced in Morpho markets. Yellow because Aave V3 concentration is the dominant risk: >$273M in a single external protocol. EigenLayer secondary coverage path partially mitigates Symbiotic risk. RD-F-057 yellow Circuit breaker on price deviation No standalone protocol-level circuit breaker on price deviation. PriceOracle.sol only implements staleness check (_isStale) — no percentage-deviation threshold that halts the protocol. Chainlink feeds have built-in aggregator deviation thresholds (native to feed, not protocol-enforced). RedStone uses 0.05% deviation. A large price spike that falls within the Chainlink deviation threshold (e.g., ETH within 0.5%) could propagate without protocol-level circuit breaker intervention. RD-F-058 yellow Max-deviation threshold (bps) Feed-native deviation thresholds only, not protocol-enforced circuit breakers. Per data cache: ETH/USD 50bps; BTC/USD 50bps; LINK/USD 50bps; USDC/USD 25bps; USDT/USD 25bps; AVAX/USD 200bps (wide for volatile asset on 86400s heartbeat); COMP/USD 100bps; UNI/USD 100bps; RedStone cUSD 5bps (very tight). AVAX/USD 200bps + 86400s heartbeat combination is the widest threshold. Yellow because no protocol-level threshold exists. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Cannot confirm minAnswer/maxAnswer configuration without on-chain RPC reads of each Chainlink aggregator. Major feeds (ETH/USD, BTC/USD) are well-established and historically have minAnswer set to avoid zero but not at exploitable floors. AVAX/USD 86400s heartbeat + 2% deviation is the widest threshold combination and warrants specific min/maxAnswer verification. No audit findings on min/maxAnswer misconfiguration found in Zellic, Trail of Bits, Spearbit, or Sherlock audit summaries. RD-F-062 yellow External keeper/relayer not redundant Cap uses Gelato automation (contracts/gelato/ directory confirmed in cap-contracts repo). Gelato used for automated protocol operations (fee auction, fractional reserve management). Single keeper provider with no documented redundancy or failover to alternative automation network. Yellow because user-initiated operations remain functional even if Gelato fails, but automated rebalancing and fee distribution would halt. RD-F-054 n/a TWAP window duration Cap does not use TWAP oracles. All price feeds are push-based Chainlink/RedStone or NAV-based Morpho/Chainlink. TWAP window duration is not applicable to this oracle architecture. RD-F-055 n/a Oracle pool depth (USD) Cap does not use DEX pool-based oracles; therefore underlying oracle pool depth is not applicable. Chainlink and RedStone are not pool-depth dependent. RD-F-056 n/a Single-pool oracle (no medianization) Cap does not use DEX pool pricing. Single-pool oracle medianization factor is not applicable.
RD-F-048 green Oracle providers used Chainlink push feeds (ETH, USDC, USDT, BTC, LINK, COMP, AVAX, UNI via multiple per-market instances), RedStone push feed for cUSD NAV (0x9A5a3c3Ed0361505cC1D4e824B3854De5724434A, 0.05% deviation), and Morpho ChainlinkOracleV2 adapter for stcUSD (0x8E3386B2f6084eB1B0988070c3d826995BD175c0). All consumed by Oracle contract 0xcD7f45566bc0E7303fB92A93969BB4D3f6e662bb via adapter pattern (staticcall with encoded payload). Rate oracle covers Aave benchmark rate and restaker rates via separate adapters.
RD-F-049 green Oracle role per asset Each asset has a primary adapter and backup adapter stored in mutable mappings (oracleData[_asset], backupOracleData[_asset]). Chainlink feeds serve collateral assets (ETH, BTC, LINK, COMP, AVAX, UNI) as primary. RedStone NAV-based feed is primary for cUSD. Morpho ChainlinkOracleV2 adapter serves stcUSD (ERC4626 conversion + Chainlink feeds). Rate oracle handles Aave benchmark rates (marketRate) and restaker rates (restakerRate). Roles clearly separated per asset class.
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] GREEN — No spot DEX pool oracle. Cap uses Chainlink push feeds (latestRoundData via adapter), RedStone push feed (NAV-based, 0.05% deviation), and Morpho/Chainlink adapter for stcUSD (ERC4626 conversion rate + Chainlink feeds, no TWAP). Primary/backup fallback implemented in PriceOracle.sol. No Uniswap TWAP or spot pool in price path.
RD-F-059 green Oracle staleness check present _isStale(address _asset, uint256 _lastUpdated) in PriceOracle.sol checks block.timestamp - _lastUpdated > staleness[_asset]. Staleness thresholds set per asset by admin via setStaleness(address _asset, uint256 _staleness). Mint and burn functions disabled when oracle returns stale data per docs. Staleness check is present on both primary and backup oracle reads.
RD-F-061 green LP token balanceOf used for pricing Cap does not use LP token balanceOf for pricing. PriceOracle.sol uses Chainlink/RedStone adapter pattern. Morpho stcUSD adapter uses ERC4626 convertToAssets() (not balanceOf()) plus Chainlink feeds. No donation-manipulable LP token pricing found.
RD-F-180 green Immutable oracle address [★ CRITICAL] GREEN — Oracle adapter addresses stored in mutable mappings in PriceOracle.sol (oracleData[_asset] and backupOracleData[_asset]). Admin can replace any oracle adapter via setPriceOracleData() and setPriceBackupOracleData() without contract redeployment. No immutable keyword on oracle addresses. PriceOracle is a UUPS proxy (upgradeable). The Morpho stcUSD adapter (0x8E3386B2...) has immutable internal parameters, but Cap's PriceOracle wrapper is admin-replaceable at the protocol layer — this satisfies F180. F180 green means Cap can reprice collateral by swapping oracle adapters in response to a depeg event.
RD-F-181 green Permissionless-pool lending oracle Cap operates a lending/borrow pool (Lender 0x15622c3dbbc5614E6DFa9446603c1779647f01FC). Operator listing is NOT permissionless — operators must register through AccessControl with admin approval, gated via Symbiotic and EigenLayer whitelisted participation. Oracle accepts prices from admin-configured adapters only, not from permissionless DEX pools. Rhea Finance / permissionless-pool vulnerability pattern does not apply. Green because listing is curated and oracle sources are admin-controlled.
Economic risk Yellow 20 13 of 13
RD-F-063 yellow TVL (current + 30d trend) Current TVL $342.2M (DefiLlama, 2026-05-17). 90-day CoV 0.247 (std $66.3M on mean $268M) — elevated volatility for a stablecoin issuance protocol. Peak $483.8M on 2025-09-28; current represents –29% drawdown. 30-day trend positive at +15.56% per data cache. MegaETH deployment TVL not tracked by DefiLlama — coverage gap noted. RD-F-064 yellow TVL concentration (top-10 wallet share) Collateral basket significantly concentrated in UNIBTC (~$191.9M, ~56% of total per DefiLlama holdings 2026-05-17). Protocol docs state 40% single-asset concentration cap; UNIBTC may include operator-posted Symbiotic restaking collateral (distinct layer). If user-deposit basket is UNIBTC-concentrated above the cap, this is both a governance and economic risk finding. BTC-derivative concentration creates correlation risk under BTC stress scenarios. Top-10 depositor wallet share not available from on-chain scan. RD-F-065 yellow Liquidity depth per major asset cUSD redemption is protocol-native via PSM (proportional basket redemption). No 2%/5% DEX depth query possible for cUSD at this TVL. stcUSD secondary DEX liquidity depth unquantified. Fractional reserve (Aave V3) provides USDC liquidity buffer; per search results, >80% of reserves deployed to Aave as of Jan 2026. Primary exit path is the PSM; in stressed redemption scenarios the 14–17.5 day Symbiotic/EigenLayer withdrawal queue governs worst-case liquidity. RD-F-068 yellow Collateralization under stress Novel SSN underwriting model. cUSD is 'fully backed at all times' per docs but under a multi-operator default scenario with simultaneous redemption demand, the 14-day Symbiotic epoch queue and 17.5-day EigenLayer delay create a structural window where slashing enforcement lags redemption demand. Sherlock judging Issue #417 documents a vault-withdrawal-timing attack where restakers can front-run epoch boundaries to exit before slashing executes, leaving protocol with insufficient collateral. Default LTV 50%, liquidation threshold 80% per Symbiotic docs — provides headroom under single-operator default but not multi-operator concurrent failure. Collateralization adequacy under correlated stress cannot be quantified from available data. [?] RD-F-069 yellow Algorithmic / under-collateralized stablecoin cUSD is collateral-backed (stablecoins: USDC, PYUSD, BENJI, BUIDL; plus wrapped BTC derivatives and yield-bearing tokens) — NOT algorithmic in the Terra/Luna sense. However, the peg defense relies on the novel SSN underwriting mechanism (operator restaked collateral via Symbiotic + EigenLayer as performance bonds/slashing insurance). This mechanism is untested at scale; slashing latency risk (14–17.5 days) could create temporary under-collateralization during rapid redemption events. Fractional reserve adds Aave V3 counterparty dependency. Classification: collateral-backed but novel-mechanism dependent — Ethena-adjacent yellow class, not pure-algo red. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) stcUSD (0x88887bE419578051FF9F4eb6C858A951921D8888) implements ERC4626Upgradeable (confirmed by Etherscan proxy read: implementation 0x42c0e0ef7c2f35de073f4d6f9c0e4483429c3d31). Built on OZ Contracts v5.2.0 (data cache github.oz_contracts_version). OZ v5.2.0 includes the virtual-share offset mechanism (introduced in OZ v4.9). However, whether the Cap implementation overrides _decimalsOffset() with a value > 0 could not be confirmed from available public sources — the OZ default is 0, which provides minimal inflation-attack protection via the +1 virtual asset/share. The 1-wei seed (F071) provides compensating first-depositor protection but is not equivalent to a high decimal-offset virtual share floor. Yellow: mitigant present (1-wei seed + OZ v5.2), specific offset unverified. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Cap is not a Compound V2 fork. This factor is taxonomy-scoped to 'Compound-fork-only (subset of lending-only)' per §Category 4 PD-024 note. Cap is an original architecture (SSN-backed yield stablecoin / credit marketplace) with no fork lineage — confirmed by profile §5 and GitHub README. The stcUSD ERC-4626 share-inflation surface is addressed under RD-F-074 and RD-F-075. RD-F-072 n/a Market-listing governance threshold Cap does not have a market-listing governance system. Operators are whitelisted by the protocol team via SSN operator onboarding (not permissionless listing). No per-asset market creation by governance vote. PD-024 marks this as lending-only; the Cap architecture is fundamentally different from Aave/Compound market-listing governance. RD-F-073 n/a Oracle-manipulation-proof borrow cap Cap does not use per-asset oracle-manipulation-proof borrow caps (the Aave/Compound parameterization of borrow cap ≤ oracle pool depth × manipulation-resistance multiplier). Operator borrowing is governed by LTV ratios and individual underwriter agreements under the SSN model, not by oracle-keyed borrow caps. PD-024 marks this factor as lending-only. Not applicable to Cap's SSN credit marketplace architecture.
RD-F-066 green Utilization rate (lending protocols) Operator borrow utilization: $48.3M borrowed / $342.3M total supplied = 14.12% (data cache defillama.borrow.utilization_rate_pct). Well below any stress threshold. Cap has a structured borrow mechanism (operators borrow from Lender vault to deploy yield strategies) so factor is scored on merits despite PD-024 lending-only guidance. Low utilization implies most idle capital is deployed to Aave V3 fractional reserve.
RD-F-067 green Historical bad-debt events No documented bad debt events or cUSD peg deviations as of 2026-05-17. Protocol launched August 2025 (~9 months live). The Sherlock audit (2025-07) identified a theoretical vault withdrawal front-running risk (Issue #417 — Symbiotic epoch-boundary timing) as a theoretical bad-debt vector, but no actual loss materialized. Rekt.news cache entries (Radiant, Rari, Midas) are false positives — confirmed unrelated to Cap Labs.
RD-F-071 green Seed-deposit requirement for new market listing Cap explicitly seeds the stcUSD ERC-4626 vault with 1 wei at deployment. This is acknowledged in the Sherlock audit README as a known design choice: 'the last withdraw can revert since we can get 1 wei less funds back. We will seed the vault with 1 wei to offset this.' The 1-wei dead-shares mechanism prevents first-depositor rounding attacks and is equivalent to a minimum seed deposit. No market-listing governance exists (operators are whitelisted; no permissionless market creation), so the standard lending seed-deposit probe does not apply in its original sense.
RD-F-075 green First-depositor / share-inflation guard Confirmed: Cap seeds the stcUSD vault with 1 wei at deployment, as documented in the Sherlock audit README (known design choice). The 1-wei dead shares mechanism prevents first-depositor share-inflation attacks by ensuring totalSupply > 0 before any user deposit. Combined with OZ v5.2.0 ERC-4626 base (which includes virtual-asset/share accounting), this is adequate first-depositor protection.
Operational history Green 10 15 of 15
RD-F-076 yellow Protocol age (days) Cap's public mainnet launch was 2025-08-19 (MEXC News); as of 2026-05-17, the protocol is ~272 days live. First contracts were staged 2025-07-08 (Etherscan block 22,874,016). Yellow threshold: 90–364 days. Protocol has not yet reached the 365-day green threshold. RD-F-084 yellow TVL stability (CoV over 90d) 90-day CoV = 0.247 (mean $268.0M, std $66.3M, 90-sample window per data cache tvl_cov_90d). Yellow band: 0.15–0.35. TVL peaked ~$483.8M in September 2025, declined to ~$153.7M by January 2026, recovered to ~$342M by May 2026. Volatility reflects early-stage protocol growth rather than security event. RD-F-089 yellow Insurance coverage active OpenCover integrated with the Cap Money dApp enables users to purchase Nexus Mutual cover when minting cUSD, stcUSD, or Pendle YT/PT positions (confirmed by Nexus Mutual January 2026 monthly blog). This is user-purchasable cover, not a protocol-level aggregate coverage. Aggregate cover size was not confirmed to meet >=5% of TVL ($342M x 5% = $17.1M minimum for green). No Sherlock protocol-level aggregate coverage (distinct from the bug bounty) found. Yellow: coverage infrastructure is accessible to users but aggregate protocol-level cover size unconfirmed. RD-F-081 gray Post-exploit response score No prior exploits; post-exploit response score cannot be assessed. Gray per methodology: N/A when no incidents exist. RD-F-082 gray Post-mortem published within 30 days No prior exploits; post-mortem publication cannot be assessed. Gray per methodology: N/A when no incidents exist. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits; re-audit after exploit cannot be assessed. Gray per methodology: N/A when no incidents exist. RD-F-085 gray Incident response time (minutes) No prior exploits; incident response time cannot be assessed. Gray per methodology: N/A when no incidents exist. RD-F-166 n/a Deprecated contracts still holding value Cap is a ~9-month-old original protocol with no prior contract generations. No deprecated, sunset, or retired contract addresses exist. The docs.cap.app/developers/addresses page lists only currently active contracts; no deprecated entries appear. No v1-to-v2 migration has occurred. This factor requires a prior deprecated surface to exist (not_applicable; no gap_reason per schema).
RD-F-077 green Prior exploit count Zero protocol-level exploits confirmed. In-house hacksdatabase (190+ incidents) contains no Cap entry. DefiLlama hacks API returns empty list for this protocol. Rekt.news web search for 'cap labs', 'cUSD', 'stcUSD', 'capmoney' returns no Cap incidents. The five rekt.news entries in the data cache (Radiant Capital x2, Rari Capital, Midas Capital x2) are false positives from keyword collision — discarded per U22.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Zero incidents in database; chronic-flag threshold of >=3 incidents is not reached.
RD-F-079 green Same-root-cause repeat exploit Zero incidents; same-root-cause repeat pattern cannot fire with 0 incidents.
RD-F-080 green Days since last exploit No incidents; green per methodology ('no incidents' maps to green for this factor).
RD-F-086 green Pause activations (trailing 12 months) No pause activations identified in the trailing 12 months. No Paused/Unpaused events appear in any public source (news, governance forum, X/@caplabs_, protocol docs). Profile §10 lists no incidents. Protocol has no public governance forum or incident log. [?] Full on-chain event log was not directly queried via RPC; green is based on absence of any public evidence of pause activations.
RD-F-087 green Pause > 7 consecutive days No pause events identified in trailing 12 months; extended pause >7 consecutive days cannot have occurred. Consistent with F086 finding.
RD-F-088 green Re-deployed to new addresses in last year No full protocol redeployment to new address set in the last 12 months. Cap launched on mainnet 2025-08-19 and operates on the same contract addresses. Individual UUPS proxy implementation upgrades are not address redeployments. Docs.cap.app/developers/addresses lists no deprecated or retired address sets.
Real-time signals Green 11 22 of 22
RD-F-101 yellow Large governance proposal queued T-09 v1 launch signal — applicable in spirit but structurally limited for Cap's governance architecture. Cap has no on-chain Governor contract (data cache: governance.governor_address = null, governance.snapshot_space = null). All protocol changes flow through: 3-of-5 dev multisig (0xb8FC49402dF3ee4f8587268FB89fda4d621a8793) → TimelockController (0xD8236031d8279d82E615aF2BFab5FC0127A329ab, 86400s delay). No ProposalCreated events are emitted. The signal's fire rule (ProposalCreated matching admin-change selectors) cannot execute on this architecture. Pipeline adaptation required: monitor TimelockController CallScheduled events instead. No suspicious queued transaction detected from OSINT as of 2026-05-17. Yellow: applicable surface exists (TimelockController is the governance equivalent) but signal cannot be wired up without protocol-specific adaptation. RD-F-103 yellow Bridge signer-set change proposed/executed T-09 v1 launch signal. LayerZero OFT bridge is live for cUSD and stcUSD to MegaETH — confirmed by: (a) Electisec 'LZ vault' audit scope dated 2025-05-25, (b) cap.app blog post announcing MegaETH launch 2026-01-05, (c) same vanity addresses (0xcCcc...cccC, 0x8888...8888) on both chains. Data cache `layerzero.present:false` is a confirmed pipeline false negative. No DVN signer-set change events detected from OSINT as of 2026-05-17. Signal is applicable but DVN configuration (OApp address, DVN count, DVN threshold) cannot be verified without curator locating the LayerZero OApp address on Ethereum mainnet — a known gap. Yellow: signal should fire on this protocol; live arming requires OApp address verification. RD-F-090 gray Mixer withdrawal → protocol interaction T-09 phase-2 signal. Wallet clustering attribution feed not live in production. No public evidence of mixer-funded wallet interaction with Cap found via OSINT web searches. Applicable to Cap (open deposit/borrow protocol) but pipeline not implemented. When live, threshold: wallet withdrew from Tornado Cash/Railgun within 30 days AND interacts with protocol with >$100k value AND flagged by >=2 independent attribution sources. RD-F-092 gray Unusual mempool pattern from deployer wallet T-09 v2-deferred signal (promotes if deployer-wallet behavior becomes a standalone attribution axis). Deployer EOA 0xc1ab5a9593E6e1662A9a44F84Df4F31Fc8A76B52 has 1304 total transactions per Etherscan — consistent with active protocol deployment and operations, no public anomalous pattern identified. Deployer also holds TimelockController executor role — unusual mempool activity from this address would be significant. Mempool monitoring not live. RD-F-093 gray Abnormal gas-price willingness from attacker wallet T-09 v2-deferred signal. Per-wallet gas-priority monitoring not live. No public anomalous gas-willingness pattern reported for Cap-targeting wallets in OSINT. Signal requires live mempool monitoring with per-wallet priority-fee EMA baseline. RD-F-094 gray New contract with similar bytecode to exploit template T-09 v2-deferred signal. No live new-deploy sweep with bytecode similarity check against Cap's contracts. Cap uses UUPS proxy pattern + AccessControl — bytecode-similar exploit-template contracts are a plausible class. No specific exploit-template deployment targeting Cap found via OSINT web searches. RD-F-095 gray Known-exploit function-selector replay T-09 v2-deferred signal. No live selector-pattern monitor. Cap uses UUPS proxies with upgradeToAndCall and initialize selectors — known exploit-replay surface. No specific known-exploit-template replay pattern detected via OSINT. RD-F-096 gray New ERC-20 approval to unverified contract from whale T-09 v2-deferred signal (classified as user-level, not protocol-level, for v1). $342M TVL implies large depositors exist. No live approval monitor. Pipeline for ERC-20 approval monitoring not implemented. RD-F-097 gray Sybil surge of identical-pattern transactions T-09 v2-deferred signal. Sybil surge monitoring not live. Relevant for Cap's Homestead Program (active through 2026-07-23) where sybil activity is a plausible attack vector against subsidized yield allocation. No live sybil-clustering monitor. RD-F-099 gray Oracle price deviation >X% from secondary T-09 phase-2 signal. 19 Chainlink price feeds confirmed in data cache (ETH/USD, USDC/USD, USDT/USD, BTC/USD, LINK/USD, COMP/USD, AVAX/USD, UNI/USD — multiple instances per pair for different markets). 1 Redstone feed (cUSD oracle adapter 0x9A5a3c3Ed0361505cC1D4e824B3854De5724434A). All Chainlink feeds have heartbeat 3600–86400s and 0.25%–2% deviation thresholds. No oracle failure events detected via OSINT. Secondary-source comparison map not built (prerequisite for phase-2 implementation). When live, signal fires on |primary-secondary|/primary > 1% for 4+ blocks on any safety-critical feed. RD-F-100 gray Flash loan >$10M targeting protocol tokens T-09 phase-2 signal. Cap's Lender contract (0x15622c3dbbc5614E6DFa9446603c1779647f01FC) is a borrow pool; Aave V3 flash loans are used by operators as part of the core borrow workflow. Flash-loan targeting at >=10M USD notional interacting with the Oracle or Lender contract would be the fire condition. No known flash-loan exploit event detected via OSINT. Per-block scan not implemented. RD-F-102 gray Admin/upgrade transaction in mempool T-09 phase-2 signal. Applicable: cUSD (0xcCcc...cccC), stcUSD (0x8888...8888), Lender (0x1562...1FC), AccessControl (0x7731...683) are all UUPS proxies. Dev multisig is proposer; deployer EOA 0xc1ab5a9593 is executor on TimelockController — making unilateral executor action without multisig co-sign possible (flagged in profile §11). Most recent GitHub commit 2026-05-08 indicates active development; upgrade transactions may be ongoing. Mempool listener not live. RD-F-105 gray DNS/CDN/frontend hash drift T-09 phase-2 signal. cap.app production frontend is the monitoring target. Domain appears stable from OSINT (no DNS change or compromise reported). Hash-monitor not live. 'cap' is a short, common word with high ambient impersonation risk — see RD-F-161 for typosquat assessment. Signal requires: DNS A/AAAA record hash, TLS cert serial, HTML DOM root hash, top-5 JS bundle hashes vs prior baseline — none established. RD-F-106 gray Cross-chain bridge unverified mint pattern T-09 v2-deferred signal. LayerZero OFT bridge to MegaETH is live — an unverified-mint pattern (message forged on Ethereum → unbacked cUSD minted on MegaETH) is the applicable threat model. No cross-chain indexer live. No unverified-mint event detected via OSINT. DVN configuration gap compounds this (OApp address unverified — see RD-F-103 notes). RD-F-107 gray Admin EOA signing from new geography/device T-09 v2-deferred signal. Deployer EOA 0xc1ab5a9593 is a Timelock executor with unilateral execution ability — geography/device anomalies on this address would be load-bearing. Off-chain signal requiring MPC/session-key provider data or geo-IP signing telemetry — no public data source available. RD-F-108 gray GitHub force-push to sensitive branch T-09 v2-deferred signal. github.com/cap-labs-dev/cap-contracts is the production repo (749 commits, last commit 2026-05-08 per data cache). Force-push or unexpected-account push monitoring requires GitHub API permissioned access per protocol. Recent commit activity (2026-05-08) is expected and not anomalous. Monitoring not live. RD-F-109 gray Social-media impersonation scam spike T-09 v2-deferred signal. 'cap' / 'caplabs' is a high-collision name for social media impersonation. Active X account @caplabs_ / @capmoney_ and Discord discord.gg/TnQTGuYqEq. No specific scam-spike reported for Cap in OSINT web searches (returned only general 2025-2026 phishing trend articles). Social-listening monitor not live. RD-F-110 n/a Unusual pending/executed proposal ratio Not applicable — Cap has no on-chain Governor contract. Data cache confirms: governance.governor_address = null, governance.snapshot_space = null. No ProposalCreated events are emitted by this protocol. A pending/executed proposal ratio cannot be computed for a TimelockController-only architecture.
RD-F-091 green Partial-drain test transactions No partial-drain test transaction pattern detected. DefiLlama daily TVL series (data cache, 250+ days) shows consistent growth trajectory and oscillation patterns consistent with market-driven flows, no anomalous step-down pattern consistent with a pre-strike partial drain (e.g., small drains from specific contracts followed by larger drain). TVL currently $342M vs 30d baseline ~$268M. The Jan 2026 drawdown from $483M to $153M was gradual (weeks, not hours) and consistent with redemption flows, not a test-drain pattern.
RD-F-098 green TVL anomaly — % drop in <1h T-09 v1 launch signal. TVL = $342.2M as of 2026-05-17 (data cache). 30d mean = $267.97M (tvl_cov_90d.mean from data cache). Ratio current/baseline = 1.28 — well above the 0.70 threshold. 24h change = -0.13% (trivial). No acute drain detected. Historical note: TVL declined from $483.8M peak (2025-09-28, ts=1769558400) to $153.7M trough (~2026-01-02, ts=1772150400) over ~96 days — a 68% decline, but this was a gradual market-driven redemption, not a 1-hour 30%+ drop trigger. Current TVL recovery trajectory is positive. Secondary precursor rule (7%+ drop in 15 min to unlisted destinations) also not triggered per daily TVL series pattern.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue T-09 v1 launch signal. Primary exposure: USDC (fractional reserve vault 0x3Ed6aa32c930253fc990dE58fF882B9186cd0072) and USDT (Chainlink feeds present: USDT/USD 0x3E7d1eAB13ad0104d2750B8863b489D65364e32D and 0xe108E75d6bA28F14EA51F24F886c0B6BBeca575a and 0x7bB7bF4ca536DbC49545704BFAcaa13633D18718, heartbeat 86400s, 0.25% deviation). No active stablecoin depeg detected as of 2026-05-17. USDC and USDT have been stable at $1.00 ± 0.1% for extended periods. Signal threshold: |price - peg|/peg > 2% on >=2 venues sustained >=30 min AND protocol exposure >=5% TVL. Current posture: below threshold.
RD-F-182 green Security-Council threshold reduction (RT) RD-F-182 batch-24 addition, Cat 6B. T-09 v1.1 candidate. Signal fires on: Security Council / protocol multisig threshold reduction + timelock removal + new-signer addition within <=14 days. Current state: Dev multisig (0xb8FC49402dF3ee4f8587268FB89fda4d621a8793) threshold = 3, owner_count = 5 (confirmed by Safe API in data cache, api_status: found). Cap Token Owner multisig (0x80A216738E4e49B262Deae6bEb6578Bdf164c2eA) threshold = 3, owner_count = 5 (same signers). TimelockController delay = 86400s (24h) — timelock has NOT been removed. No threshold reduction from 3/5 to 2/5 or below detected. No within-14-day combined event (threshold change + timelock removal + new signer) detected. Reference event (Drift Protocol): 3/5 → 2/5 SC + timelock removal executed 6 days before $285M DPRK exploit — this pattern is absent here. Current posture is clean.
Dev identity & insider risk Green 13 16 of 16
RD-F-111 yellow Team doxx status CEO Benjamin Sarquis Peillard is semi-doxxed: real name confirmed on Epicenter podcast ep. 618, Blockworks article, RockawayX blog post, and Stablecoin Summit Cannes appearance. X handle @Benjamin918_ is public. CTO Weso (GitHub: MirthFutures) is a consistent pseudonym with verifiable track record as Beefy Finance co-founder ($1B TVL). Developers prevostc (GitHub 2011) and kexleyBeefy (Beefy-affiliated) are pseudonymous with established track records. The 5 multisig signer EOAs (0xDD30..., 0xdf46..., 0x7c29..., 0x62D0..., 0xA62f...) have no linked public identities. Mixed status: semi-doxxed CEO + pseudonym-with-track-record CTO + anonymized effective decision-makers. RD-F-112 yellow Team public accountability surface CEO has verifiable accountability surface: Epicenter podcast interview, Blockworks and Fortune press coverage, Stablecoin Summit Cannes attendance, X profile. CTO Weso has Twitter (@w3sobeefy), Transak blog interview, and co-founder credit at Beefy Finance. Developer kexleyBeefy has Twitter presence. Developer prevostc has a 14-year GitHub history but no social or press presence. The 5 multisig signers are addresses-only with no public accountability surface. Team accountability is moderate but incomplete — effective control rests partly with unidentified signers. RD-F-117 yellow ENS/NameStone identity bound to deployer Etherscan carries a platform name tag 'Cap: Deployer 1' for 0xc1ab5a9593E6e1662A9a44F84Df4F31Fc8A76B52, but this is a platform label, not an ENS or NameStone name. Web search for ENS binding of deployer address or dev multisig signers returns no results. No ENS-resolvable identity bound to deployer. This is a minor hygiene gap rather than a risk signal. RD-F-121 yellow Contributor OSINT depth score Curator OSINT depth scores: CEO Benjamin Sarquis Peillard ~3/5 — real name, podcast, press, conference; no LinkedIn depth confirmed. CTO Weso ~3/5 — established pseudonym, Twitter, blog interview, Beefy co-founder history, prior Fortune 50 employment claim; no real name. prevostc ~2/5 — GitHub only (14-year account). kexleyBeefy ~2/5 — Twitter + GitHub, Beefy affiliation. 5 multisig signers ~1/5 each — on-chain only. Team depth is above the typical anon-rug pattern but below fully institutionally-doxxed standards. Aggregate OSINT depth is moderate. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion §7-rule-5 applied: Cap's publicly-disclosed 3-of-5 dev multisig → 24h Timelock governance is NOT a F123 concealment event — it is disclosed at docs.cap.app/developers/addresses. GitHub PR history (PRs #240–#264) shows no title indicative of a surprise ACL change or admin-rescue: PRs cover oracle adapters (FalconXUSDC, lBTC, market rate), OFT config, contract archival, and dashboard tooling. TimelockController enforces 24h delay on all multisig-initiated changes. YELLOW assigned for the structural executor asymmetry: deployer EOA 0xc1ab5a9593... retains Timelock executor role alongside the dev multisig, creating a unilateral execution path for a single EOA outside Safe quorum. No admin-rescue or ACL change via this path has occurred as of 2026-05-17, but the latent surface is elevated risk relative to a pure-multisig setup. Not red because no concealment event has occurred. RD-F-119 gray Commit timezone consistent with stated geography Cap Labs is reportedly based in Panama (brief press mention). GitHub commit activity shows contributors MirthFutures, prevostc, kexleyBeefy active across recent dates. Full commit-hour distribution not extracted at timezone-distribution analysis level — GitHub API returns UTC timestamps but programmatic timezone-anomaly analysis (DPRK +9 pattern detection) was not performed. No obvious timezone anomaly visible in the sampled commit data. Cannot confirm or deny tz consistency without full commit-hour distribution analysis. RD-F-122 n/a Contributor paid to DPRK-cluster wallet Cap Labs operates as a corporate entity (operating company in Panama per press coverage). Payroll is presumed off-chain. No on-chain payment streams to contributors are publicly identifiable. Per process-learnings for dev-identity-analyst: for off-chain payroll companies, mark NOT ASSESSED beyond the deployer unless on-chain payment streams exist. No on-chain contributor payment streams found. DPRK cluster linkage via payment routing is not assessable at OSINT tier for this protocol. RD-F-184 gray Real-capital social-engineering persona F184 definition: curator-flagged 'team contributor' or 'external integrator' persona with ≥$1M attributed real-capital deposits to target protocol or peer protocols, used to build credibility ahead of a social-engineering attack (Drift Protocol / UNC4736 pattern — 6-month in-person persona build-up with real capital before Solana durable-nonce pre-signing). No such pattern identified for Cap Labs. Cap operates an operator/restaker credit model where external operators legitimately deposit large collateral — these are business-model deposits, not persona-building events. No anomalous suspicious-persona large-deposit pattern flagged in OSINT. Per process-learnings §dev-identity-analyst: F184 is gray by design — don't try to prove a negative for a pattern that by construction leaves no public trace.
RD-F-113 green Team other-protocol involvement history CEO Benjamin Sarquis Peillard previously scaled QiDAO (a CDP stablecoin protocol) from $0 to $400M TVL. QiDAO has no exit-scam or rug history. CTO Weso (MirthFutures) was a founding member of Beefy Finance, which reached $1B peak TVL and remains operational. Developer kexleyBeefy has Beefy Finance affiliation. No prior rug, exit-scam, or failed-protocol association found for any identified Cap team member in multi-query OSINT search.
RD-F-114 green Deployer address prior on-chain history Deployer EOA 0xc1ab5a9593E6e1662A9a44F84Df4F31Fc8A76B52 is labeled 'Cap: Deployer 1' on Etherscan. First transaction approximately June 2025 (339 days before 2026-05-17). 1,304 total transactions showing protocol-consistent activity: cUSD/USDC token transfers, contract deployments, DEX interactions, LayerZero calls, Morpho interactions. No prior rug, exploit, or anomalous drain activity identified. Address was purpose-created for Cap; no pre-Cap history suggesting reuse from a failed project.
RD-F-115 green Prior rug/exit-scam affiliation Multi-query OSINT search for 'Cap Labs rug,' 'Cap money exit scam,' 'QiDAO rug' (CEO prior), and 'Beefy Finance rug' (CTO prior) returns no rug or exit-scam results. QiDAO and Beefy Finance are established protocols with ongoing operations and no rug classification in REKT database or public sources. Rekt cache entries in 00-data-cache.json (Radiant, Rari, Midas) are false positives per §11 profile note — unrelated to Cap team.
RD-F-116 green Contributor tenure at admin-permissioned PR Primary contributors to cap-contracts: MirthFutures (Weso) — GitHub account created 2020-08-11, 277 commits, co-founder tenure; prevostc — GitHub account created 2011-08-23 (14+ year account), 264 commits; kexleyBeefy — Beefy Finance tenure, 204 commits. Most recent admin-permissioned PRs (#263 archive old contracts, #260 update market rate adapter, #258 Add FalconXUSDC Oracle) authored by MirthFutures/Weso — a co-founder with the longest tenure in this project. No recent-hire or fresh-contributor admin-permissioned code change identified.
RD-F-118 green Handle reuse across failed/rugged projects OSINT search for handle reuse across rugged/failed projects returned no results for @Benjamin918_ (CEO), @w3sobeefy / MirthFutures (CTO/Weso), @kexleyBeefy, or prevostc. Beefy Finance and QiDAO (prior projects of team members) are ongoing solvent protocols not associated with rug or exit-scam history. No alias reuse pattern identified.
RD-F-120 green Video-off/voice-consistency flag CEO Benjamin Sarquis Peillard appeared on the Epicenter podcast (ep. 618) in an audio/video format. YouTube episode is publicly accessible. No curator-recorded video-off flag or voice/geography inconsistency flagged in public record. One public in-person conference appearance (Stablecoin Summit, Cannes, June 2025) reported in press.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer EOA 0xc1ab5a9593E6e1662A9a44F84Df4F31Fc8A76B52 (labeled 'Cap: Deployer 1') first transaction approximately June 2025. Funded 1-hop by 0x100E9db9b44c9b6278E33A5F8c7c34d22a1BD782 — this address is unlabeled on Etherscan with zero ETH balance and no transactions (per WebFetch), carrying no Tornado Cash / Railgun / Sinbad / mixer label. Etherscan visible transaction history for the deployer shows standard protocol activity (cUSD, USDC, LayerZero, Morpho, DEX). No public OSINT or blockchain intelligence source attributes mixer funding to this address. 30-day window: no mixer interaction observed. Per rubric, F124 requires positive evidence of mixer funding within 30 days; absence of such evidence scores green. Residual note: 2nd-hop origin not confirmed due to dynamic Etherscan rendering (Etherscan shows only most recent 25 of 1,304 transactions programmatically); curator follow-up recommended to verify complete funding lineage.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus Comprehensive OSINT search for DPRK/Lazarus proximity: (1) 'Cap Labs DPRK,' (2) 'Cap money Lazarus,' (3) 'cUSD North Korea,' (4) 'Cap labs Tornado mixer deployer OFAC' — all return zero Cap-specific results. OFAC SDN search: no Cap-associated address matched. Public blockchain intelligence (Chainalysis blog, TRM Labs, OFAC announcements 2025–2026) covers major DPRK-linked exploits (Bybit Feb 2025 $1.5B, Kelp DAO Apr 2026 $292M) with no Cap Labs mention. 1-hop funder of deployer (0x100E9db9...) carries no DPRK-cluster label. U4 rule confirmed not applicable: no attacker-used-Cap-as-drain-venue event reported. No escalation required.
Fork / dependency lineage Green 11 10 of 10
RD-F-133 yellow Dependency manifest uses unpinned versions package.json uses '@openzeppelin/contracts': '^5.2.0' in the resolutions field — the caret allows minor version updates within v5.x. .gitmodules contains layerzero-devtools, layerzero-v2, openzeppelin-foundry-upgrades, forge-std, and other submodules without explicit commit pins. The OZ resolutions field partially pins (5.2.0 baseline) but '^' allows 5.2.x → 5.x.x updates. For maximum security, exact version pinning (no caret/tilde) is best practice. However, within a major version, OZ minor releases are typically backward compatible and security-reviewed. RD-F-126 n/a Is-a-fork-of Cap is an original architecture — not a fork of any existing protocol. The GitHub README states: 'This repository contains the core contracts for the CAP platform.' No fork claim in README, docs, or any audit report. Cap integrates LayerZero OFT, Symbiotic, EigenLayer, Aave V3, and OZ libraries as integrations, not as a fork of a single upstream. Not applicable per protocol-type guidance. RD-F-127 n/a Upstream patch not merged Not applicable: Cap is an original protocol with no upstream fork from which patches could be unmerged. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable: Cap is an original protocol. No upstream fork exists for upstream vulnerability disclosures to propagate from. RD-F-129 n/a Code divergence from upstream (%) Not applicable: Cap is an original protocol. No upstream codebase exists from which to measure divergence percentage. RD-F-130 n/a Fork depth (generations from original audit) Not applicable: Cap is an original protocol (fork depth = N/A, not generation 0). There is no lineage chain from an audited upstream. RD-F-131 n/a Fork retains upstream audit coverage Not applicable: Cap is an original protocol. It has 9 independent fresh audit engagements (the superior coverage model), making the fork-audit-coverage framing irrelevant. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable: Cap is an original protocol with no upstream audited economic parameter defaults to deviate from.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release security advisories found for any Cap dependencies (LayerZero devtools, OpenZeppelin Contracts 5.x, forge-std, openzeppelin-foundry-upgrades) in the trailing 90 days as of 2026-05-17. OZ 5.2.x is a recent stable release with active maintenance. No GHSA advisory flags found for any used package.
RD-F-135 green Shared-library version with known-vuln status OpenZeppelin Contracts v5.2.0 (primary security-critical library) has no active high/critical CVE or GHSA advisory as of 2026-05-17. OZ 5.2.0 was released December 2024 and has no known critical issues. LayerZero v2 library was covered by the Electisec LZ vault audit (2025-05-25). forge-std is a testing library, not a production security-critical dependency.
Post-deploy hygiene & change mgmt Yellow 28 13 of 13
RD-F-139 red Post-audit code changes without re-audit [★ CRITICAL] cUSD upgraded 2026-02-25 (~90 days after Spearbit PR Review 2025-11-27). GitHub shows 8-10 commits between Nov 2025 and Feb 2026 upgrade (timelock implementation, EigenLayer operator updates merged). Octane audit (2026-03-24) post-dates the upgrade by ~27 days but its commit SHA scope is unconfirmed. EigenAgentManager and SymbioticMiddleware also upgraded ~Feb 2026 — Certora (2025-09-15) scope predates by ~5 months. Material post-audit code changes deployed without confirmed subsequent audit coverage. RD-F-185 red Bridge rate-limiter / chain-pause as positive mitigant Cap bridges cUSD/stcUSD to MegaETH via LayerZero OFT (confirmed by Electisec audit 2025-05-25 and cap.app MegaETH launch blog). No rate-limiter contract or per-window outflow cap found in Cap's deployed contract suite. No documented chain-pause mechanism available to Cap's team. Per rubric: yellow = one control present, red = neither control. Neither rate-limiter nor chain-pause confirmed. RD-F-136 yellow Deployed bytecode matches signed release tag GitHub repo has commits (last: 2026-05-08) but no GPG-signed release tags confirmed. No published signed release tag matching the Feb 2026 cUSD implementation deployment. RD-F-137 yellow Upgrade frequency (per 90 days) In last 90 days: cUSD upgraded 2026-02-25 (1), EigenAgentManager upgraded ~2026-02-27 (1), SymbioticMiddleware upgraded ~2026-02-25 (1). Total ~3 upgrades = yellow per rubric (3-5 = yellow). RD-F-145 yellow Deployed bytecode reproducibility Foundry-based project with deterministic build settings (optimizer 200 runs, via_ir=true, solc 0.8.28). No public reproducibility confirmation or curator verification performed. RD-F-146 yellow New contract deploys in last 30 days CAP governance token (0x9999...9999) deployed ~8 days ago (circa 2026-05-09). At least 1 new contract deploy in last 30 days. Per rubric: 0-2 = green, 3-5 = yellow. Yellow for 1 major new contract deploy (CAP token) within 30 days. RD-F-142 gray Storage-layout collision risk across upgrades Multiple cUSD implementations (7 total), 4 Lender versions, 2 stcUSD versions. OZ upgrades-plugin storage layout check not available via WebFetch. Curator-run infrastructure check required.
RD-F-138 green Hot-patch deploys without timelock (last 30 days) No Upgraded events in last 30 days across main proxies (cUSD, stcUSD, Lender, EigenAgentManager, SymbioticMiddleware). Most recent upgrades were ~78-80 days ago.
RD-F-140 green Fix-merged-but-not-deployed gap No publicly documented security fix known to be merged but not deployed. No CVE or GHSA advisory for cap-labs-dev/cap-contracts. Zero protocol-level incidents per Cat 5 assessment.
RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified. Timelock constructor uses production values (delay=86400s, proper multisig addresses). AccessControl admin is dev multisig (not deployer EOA).
RD-F-143 green Reinitializable implementation (no _disableInitializers) Lender implementation (0x68c4...aaa7): _disableInitializers() confirmed in constructor. CAP token implementation (0x9c85...): _disableInitializers() confirmed. cUSD/stcUSD implementations use proxy pattern with constructor preventing direct init (confirmed via source analysis). AccessControl implementation inherits OZ Initializable with initializer guard.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory with same-address redeploy pattern identified. CreateX used for some deploys but no selfdestruct + CREATE2 pattern for protocol proxy contracts.
RD-F-168 green Stale-approval exposure on deprecated router No deprecated router/protocol contracts identified with active user approvals. No contract retirements with stale approval surfaces found.
Cross-chain & bridge Yellow 20 12 of 12
RD-F-148 yellow Bridge validator count (M) LayerZero v2 uses DVN model, not a fixed validator set. See F179 for the LZ-specific DVN assessment. CheckOFTConfig.s.sol shows 3 expected DVNs on Ethereum (LZ Labs 0x589dEDbD..., Nethermind 0xa59BA433..., Canary 0xa4fE5A5B...) but actual deployed DVN count not confirmed via on-chain ep.getConfig() read. Yellow because architecture supports 3-DVN configuration but on-chain verification not completed. RD-F-149 yellow Bridge validator threshold (k-of-M) LayerZero v2 DVN threshold (requiredDVNCount) not confirmed on-chain. CheckOFTConfig.s.sol reads threshold dynamically from ep.getConfig() without asserting a minimum. Curator must call ep.getConfig(sendLibAddress, 0xA62571EbdFfAbC3051a2e5B9e1f57b23D830c8Fd, 30398, CONFIG_TYPE_ULN) on Ethereum EndpointV2 to confirm requiredDVNCount >= 2. If requiredDVNCount == 1, this upgrades to red (Kelp DAO $292M class). Post-Kelp (April 2026), LayerZero mandated multi-DVN configs; not confirmed for Cap. RD-F-150 yellow Bridge validator co-hosting DVN operators confirmed: LayerZero Labs (0x589dEDbD617e0CBcB916A9223F4d1300c294236b), Nethermind (0xa59BA433ac34D2927232918Ef5B2eaAfcF130BA5), Canary (0xa4fE5A5B9A846458a70Cd0748228aED3bF65c2cd) per CheckOFTConfig.s.sol for Ethereum EID 30101. These are 3 distinct organizations with independent infrastructure. [?] Cannot confirm non-co-hosting without OSINT on DVN operator ASN/data-center. Yellow as precautionary — no evidence of co-hosting found but cannot verify. RD-F-155 yellow Bridge validator-set rotation recency DVN operators (LZ Labs, Nethermind, Canary) are independent third-party services; their internal validator rotation is not tracked publicly. No changes to OFT lockbox DVN configuration detected in available transaction history. DVN set is configured and updatable via ConfigureOApp.s.sol admin calls by Cap admin. Rotation recency cannot be confirmed without direct monitoring of DVN operator events. RD-F-156 yellow Bridge uses same key custody for >30% validators [?] Cannot confirm DVN key custody without OSINT. LayerZero Labs, Nethermind, and Canary are independent organizations with presumed separate custody. No evidence of shared custody found. Yellow as precautionary — inference of separate custody from organizational independence, not confirmed. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) LayerZero v2 OFT confirmed. CheckOFTConfig.s.sol defines expected DVNs for Ethereum EID 30101: LayerZero Labs (0x589dEDbD617e0CBcB916A9223F4d1300c294236b), Nethermind (0xa59BA433ac34D2927232918Ef5B2eaAfcF130BA5), Canary (0xa4fE5A5B9A846458a70Cd0748228aED3bF65c2cd). This is 3-DVN architecture. HOWEVER: actual on-chain requiredDVNCount (k-of-3 threshold) not confirmed via direct ep.getConfig() call on EndpointV2. Script reads dynamically without asserting minimum. Post-Kelp DAO $292M (April 2026 — 1-of-1 DVN), LayerZero mandated multi-DVN configs. Whether Cap was swept into compliance is unconfirmed. Curator MUST verify: ep.getConfig(sendLib, 0xA62571EbdFfAbC3051a2e5B9e1f57b23D830c8Fd, 30398, CONFIG_TYPE_ULN) on Ethereum. If requiredDVNCount == 1 → upgrade to red. RD-F-151 n/a Bridge ecrecover checks result ≠ address(0) Cap uses LayerZero v2 OFT protocol (OFTAdapterUpgradeable from @layerzerolabs/oft-evm-upgradeable). LayerZero v2 uses DVN attestation + lzReceive pattern, not ecrecover-based validator signatures. The Wormhole-class ecrecover zero-address check vulnerability does not apply to LayerZero v2 architecture. RD-F-154 n/a Default bytes32(0) acceptable as valid root Cap uses LayerZero v2 OFT, which uses a DVN attestation model rather than Merkle root-based message validation. The Nomad-class bytes32(0) default-root vulnerability (acceptance of uninitialized Merkle root = accept any message, $190M) does not apply to LayerZero v2 architecture which has no Merkle root acceptance path.
RD-F-147 green Protocol has bridge surface Cap bridges cUSD and stcUSD to MegaETH via LayerZero v2 OFT. OFT lockbox on Ethereum: cUSD 0xA62571EbdFfAbC3051a2e5B9e1f57b23D830c8Fd, stcUSD 0x983AEAaA0d0426839158435C43725EA7F45d4137 (from config/oft-deployments.json). LayerZero EndpointV2: 0x1a44076050125825900e736c501f859c50fE728c. Electisec 'LZ vault' audit 2025-05-25 confirms bridge was audited before mainnet launch.
RD-F-152 green Bridge binds message to srcChainId LayerZero v2 OFT protocol includes source EID in message packets. Ethereum EID = 30101, MegaETH EID = 30398 per layerzero-v2-deployments.json. Messages are bound to (srcEid, dstEid, nonce) tuple in EndpointV2. Per-chain separation enforced by EndpointV2 packet structure at the protocol level.
RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero v2 EndpointV2 tracks nonce consumption via nextNonce(srcEid, sender, dstEid) mechanism and rejects replayed packets. This is a core protocol invariant in LZ v2 — nonce ordering is enforced at the endpoint level.
RD-F-157 green Bridge TVL per validator ratio cUSD OFT lockbox holds $258,392 (258,441 cUSD) as of assessment per Etherscan. Per-DVN TVL = $258K / 3 DVNs = ~$86K per validator. At current bridged TVL, per-validator concentration is low. DefiLlama attributes 100% of $342M TVL to Ethereum mainnet — MegaETH bridged TVL not separately tracked. Low absolute bridge TVL relative to total protocol TVL.
Threat intelligence & recon Green 11 8 of 8
RD-F-161 yellow Protocol-impersonator domain registered (typosquat) F161 typosquat/protocol-impersonator domain assessment for cap.app. 'cap' is a 3-letter, extremely common English word with very high potential for confusable domains (cap-app.io, capdapp.com, getcap.app, capprotocol.com, etc. would all be trivially registerable). The 90-day window requires domain-registration-date-to-2026-05-17 delta — this delta cannot be computed without a WHOIS API or domain-monitoring feed (persistent gap per process learnings). OSINT web searches for 'cap.app typosquat phishing impersonation' returned only general phishing guidance articles; no Cap-specific typosquat incident was found in public reporting. Absence of public incident ≠ clean posture for a protocol of this TVL ($342M) and short brand name. Risk rating elevated to yellow because: (a) short, common-word domain creates trivially high confusable-domain surface; (b) WHOIS monitoring feed absent; (c) no domain monitoring allowlist established per T-09 RD-F-105 prerequisites. Registration-date-to-assessme RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) T-09 v2-deferred signal. No mempool + threat-actor-cluster correlator live. No specific mempool probe pattern (failing low-gas txs to Cap contracts from threat-actor-labeled wallets) detected via OSINT. Requires live mempool monitoring combined with curated threat-actor wallet list. RD-F-162 gray Known-exploit-template selector deployed by any address T-09 v2-deferred. No live exploit-template DB or new-contract-deploy sweep. Cap uses UUPS proxy + AccessControl + TimelockController architecture — a class for which known-exploit-template contracts (unprotected initialize, upgradeToAndCall replay) exist. No specific exploit-template deployment targeting Cap found in OSINT. Requires live contract-deploy scan with bytecode selector fingerprint matching. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Narrative signal — average attacker wallet reconnaissance time before strike on similar-class protocols. Cap is a novel SSN-backed yield stablecoin / credit marketplace with no direct peer-class exploit precedent. Analogous attack classes: SSN underwriting manipulation (operator default), oracle manipulation, governance takeover via multisig compromise. Typical recon times per T-01 evidence: USPD-class 78 days average; Drift insider implant 6 days. No specific recon pattern detected targeting Cap. Curator must classify Cap's peer class (closest: yield stablecoin / credit marketplace or synthetic-dollar protocols) to establish baseline. Cannot compute numeric delta without curator input. RD-F-164 gray Leaked credential on paste/sentry site M-only (curator-only manual scan). No paste-site or Sentry credential leak for cap.app or cap-labs-dev found via public OSINT web searches. Requires dedicated paste-monitoring service (HaveIBeenPwned, Pastebin monitoring, Sentry-error-leak scan) — not accessible via web search. No evidence of leaked credentials in public sources. Gap is structural (no automated feed for this class of signal). RD-F-165 gray Protocol social channel has scam-coordinator flag M-only (curator social watchlist). Cap has Discord at discord.gg/TnQTGuYqEq. No Telegram confirmed. No scam-coordinator report for Cap's Discord found in OSINT web searches. Requires curator scam-coordinator watchlist cross-reference. No automated public feed available for this class of signal.
RD-F-158 green Known-threat-actor cluster has touched protocol T-09 phase-2 signal (advisory, tier-C). No known threat-actor wallet interaction with Cap found in public sources. Web searches for 'cap.app' + 'Lazarus' / 'DPRK' / 'threat actor' / 'attacker' returned zero Cap-specific attribution results (only general DPRK crypto-crime trend articles). Zero protocol-level incidents per profile §10. Data cache rekt entries (Radiant Capital x2, Rari Capital, Midas Capital x2) are all false positives per U-rule U22 (keyword match, unrelated protocols). Requires partner feed (Chainalysis/TRM) for live monitoring; public-proxy observation is clean. Note: an adversary *using* cUSD as a venue (e.g., borrowing from Cap post-exploit) would be a Cat 5 / Cat 11 yellow at most, not team contamination — per U4/U15 distinction.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps No GitHub security advisory found for cap-labs-dev/cap-contracts or its key dependencies in trailing 90 days. Cap uses OpenZeppelin Contracts 5.2.0 (data cache: github.oz_contracts_version = 5.2.0) and Solidity 0.8.28. OSINT web search for 'cap-contracts GitHub security advisory vulnerability 2025 2026' returned only general GitHub security tooling articles — no Cap-specific advisory. No known malicious release for OZ 5.2.0 or solc 0.8.28 in this window. GitHub advisory database search returned no Cap-specific GHSA entries.
Tooling / compiler / AI Green 8 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) All Cap contracts use Solidity v0.8.28 (foundry.toml: solc='0.8.28'; Etherscan verified source: v0.8.28+commit.7893614a). Per Etherscan solcbuginfo: v0.8.28 is affected by 'TransientStorageClearingHelperCollision' (HIGH severity, introduced 0.8.28, fixed 0.8.34). Bug affects clearing both persistent and transient storage variables in the same contract. Inspected Cap contracts do not appear to use transient storage (EIP-1153 TSTORE/TLOAD), and viaIR is only in the release profile. Effective exploitability is low given no transient storage usage, but the compiler version remains on the known-bug list for a high-severity issue. Upgrade to solc 0.8.34+ would remediate. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Cap is an original architecture with no audited upstream protocol to compare bytecode against. The factor addresses AI-generated copy risk where bytecode resembles an audited upstream with behavioral deviation — not applicable to an original protocol.
RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship metadata ('Co-authored-by: GitHub Copilot' or similar) found in the 20 most recent commits inspected. A '.claude' directory is present in the repo root (infrastructure tooling, not Solidity co-authorship). No AI-generated code co-authorship flags detected in security-critical contract files.
RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure found of AI-generated Solidity in security-critical production code. Cap Labs blog, docs.cap.app, and X (@caplabs_) searched — no AI-disclosure statements. The gambit.config.json (mutation testing) and .claude directory (infrastructure) suggest AI tooling for testing, not production Solidity generation.
RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.28 is NOT an EOL version — it is within the actively supported 0.8.x branch (latest stable: 0.8.34 as of assessment). The 0.8.x branch is the current supported major version. No EOL version found in the dependency tree. OZ 5.2.0 is compiled with the same version.
Response & disclosure hygiene Yellow 44 4 of 4
RD-F-176 red Disclosure SLA public No public acknowledgment-time SLA published. The Sherlock bug bounty page (https://audits.sherlock.xyz/bug-bounties/114) does not include a protocol-published acknowledgment SLA. Cap docs (docs.cap.app) contain no disclosure SLA. No security policy page found on cap.app or GitHub. Red per methodology: 'no SLA published -> red'. Note: Sherlock platform sets internal triage norms, but those are not a protocol-published SLA commitment. RD-F-175 yellow Disclosure channel exists Active Sherlock bug bounty exists at https://audits.sherlock.xyz/bug-bounties/114 (live since 2025-10-24, max $1M USDC) — this constitutes a public disclosure channel. However, no SECURITY.md on GitHub (data cache github.security_md_present: false), no published SIRT email, and no security.txt or dedicated security page on docs.cap.app. No evidence of prior submissions or active monitoring beyond Sherlock's platform-standard triage found (protocol is 9 months old with 0 incidents). Yellow: channel exists but active-monitoring evidence is absent. RD-F-177 gray Prior known-ignored disclosure No prior incidents exist for Cap; this factor cannot be assessed. Gray per methodology: 'no prior incidents -> gray' (cannot evaluate ignored disclosure without an incident context).
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against cap-labs-dev/cap-contracts or the Cap protocol as of 2026-05-17. Searched GitHub Security Advisories for the cap-labs-dev org and ran web searches for 'cap labs CVE' and 'cap labs GHSA advisory'. No advisories identified.
rubric_version v1.7.0 graded_at 2026-05-17 10:56:26 factors 184 protocol cap