GitHub malicious-dependency incident touching protocol deps

Cap (cUSD / stcUSD)'s assessment for RD-F-160 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No GitHub security advisory found for cap-labs-dev/cap-contracts or its key dependencies in trailing 90 days. Cap uses OpenZeppelin Contracts 5.2.0 (data cache: github.oz_contracts_version = 5.2.0) and Solidity 0.8.28. OSINT web search for 'cap-contracts GitHub security advisory vulnerability 2025 2026' returned only general GitHub security tooling articles — no Cap-specific advisory. No known malicious release for OZ 5.2.0 or solc 0.8.28 in this window. GitHub advisory database search returned no Cap-specific GHSA entries.

Sources #

Internal
Cap data cache — OZ version and Solidity version.research/protocols/cap/00-data-cache.json sources.github.oz_contracts_version = 5.2.0, solidity_version = 0.8.28retrieved 2026-05-17
URL
GitHub Advisory DatabaseGitHub Advisory Database search for cap-contracts — no resultsretrieved 2026-05-17

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-160 score green collected_at 2026-05-17 10:56:24