Permissionless-pool lending oracle

Cap (cUSD / stcUSD)'s assessment for RD-F-181 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cap operates a lending/borrow pool (Lender 0x15622c3dbbc5614E6DFa9446603c1779647f01FC). Operator listing is NOT permissionless — operators must register through AccessControl with admin approval, gated via Symbiotic and EigenLayer whitelisted participation. Oracle accepts prices from admin-configured adapters only, not from permissionless DEX pools. Rhea Finance / permissionless-pool vulnerability pattern does not apply. Green because listing is curated and oracle sources are admin-controlled.

Sources #

URL
Cap docs operator registration (whitelisted model)docs.cap.app/llms-full.txt: whitelisted operator model; operators must register through Symbiotic/EigenLayer infrastructure — not permissionlessretrieved 2026-05-17
GitHub
Sherlock Cap audit README — curated operator modelsherlock-audit/2025-07-cap README: protocol integrates stablecoins (USDC, USDT, pyUSD) with Symbiotic vault integration; no permissionless market listingretrieved 2026-05-17

Methodology #

Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-181 score green collected_at 2026-05-17 10:56:24