Cap — stcUSD

Contract Addresses

Core Cap Contracts

Contract	Address	Type
cUSD	0xcCcc62962d17b8914c62D74FfB843d73B2a3cccC	ERC-20, upgradeable proxy (impl: 0xa76645e15c267b876999bf7689e0b2c1ee29bfe6)
stcUSD	0x88887bE419578051FF9F4eb6C858A951921D8888	ERC-4626 vault, upgradeable proxy (impl: 0x42c0e0ef7c2f35de073f4d6f9c0e4483429c3d31)
Debt USDC	0xfa8C6D0b95d9191B5A1D51C868Da2BDFd6C04Ff9	Tracks operator borrowings

Infrastructure Contracts

Contract	Address	Purpose
Oracle	0xcD7f45566bc0E7303fB92A93969BB4D3f6e662bb	Price oracle for reserve assets
Lender	0x15622c3dbbc5614E6DFa9446603c1779647f01FC	Operator borrowing/repayment engine
Access Control	0x7731129a10d51e18cDE607C5C115F26503D2c683	Role-based permission system (upgradeable proxy)
Delegation	0xF3E3Eae671000612CE3Fd15e1019154C1a4d693F	Symbiotic delegation management
Fee Auction	0xa1a20aBdc873CF291c22Ce3C8968EC06277324D0	Dutch auction for fee conversion
Fee Receiver	0x0036c7b9b62c53F47c804a5643F0c09f864beF0b	Collects protocol fees
USDC Fractional Reserve Vault	0x3Ed6aa32c930253fc990dE58fF882B9186cd0072	Yearn V3 vault — deploys USDC to Morpho (67%) + Aave V3 (33%)
wWTGXX Fractional Reserve Vault	0xb1c1C80FDbBde5B40264e1410550F3C864113bF8	Yearn V3 vault — holds wWTGXX (~$5M) via holder strategy
cUSD Adapter	0xAcc9ce4C15A0F6A2bec49C3F81261d60553D2Faf	cUSD integration adapter
stcUSD Adapter	0xdf48Eb321B38bc19E7F5b2CCA8242Cc6B9a6EcD0	stcUSD integration adapter

Governance Contracts

Contract	Address	Configuration
Timelock	0xD8236031d8279d82E615aF2BFab5FC0127A329ab	OZ TimelockController, 24-hour delay. Holds DEFAULT_ADMIN_ROLE on Access Control
Multisig	0xb8FC49402dF3ee4f8587268FB89fda4d621a8793	3-of-5 Gnosis Safe (v1.4.1). PROPOSER, EXECUTOR, CANCELLER roles on Timelock
Deployer EOA	0xc1ab5a9593e6e1662a9a44f84df4f31fc8a76b52	Retains EXECUTOR_ROLE on Timelock (can execute queued proposals but cannot propose or cancel)

Symbiotic Integration

Contract	Address	Purpose
Network	0x98e52Ea7578F2088c152E81b17A9a459bF089f2a	Cap's Symbiotic network registration
Network Middleware	0x09A3976d8D63728d20DCDFEe1e531C206Ba91225	Slashing/reward logic
Vault Factory	0x0B92300C8494833E504Ad7d36a301eA80DbBAE2e	Deploys per-operator Symbiotic vaults
Agent Manager	0x08A728CF4E6b39f4AFa059c6eE376103722953eA	Manages operator-vault whitelisting

Oracles

Contract	Address	Purpose
Redstone cUSD	0x9A5a3c3Ed0361505cC1D4e824B3854De5724434A	cUSD price feed (0.05% deviation threshold)
Morpho stcUSD	0x8E3386B2f6084eB1B0988070c3d826995BD175c0	stcUSD price feed for Morpho markets

Morpho Markets (stcUSD as collateral)

Market	Collateral	Loan Token	LLTV	Supply TVL	Utilization
stcUSD / USDC	stcUSD	USDC	91.5%	~$42M	~91%
PT-cUSD-23JUL2026 / USDC	PT-cUSD (Pendle)	USDC	91.5%	~$2.3M	~91%
PT-stcUSD-23JUL2026 / USDC	PT-stcUSD (Pendle)	USDC	91.5%	~$1.5M	~91%

Audits and Due Diligence Disclosures

Cap Protocol Audits

Cap has been audited by 7 firms with 8 total reports (including one PR review), covering the core protocol, security network, and invariant testing:

Auditor	Date	Scope	Report
Zellic	Feb–Mar 2025	Cap protocol (core)	PDF
Trail of Bits	Mar–May 2025	Cap protocol (core)	PDF
Spearbit	Apr–Jun 2025	Cap protocol (core)	PDF
Electisec	May 2025	LayerZero vault	PDF
Recon	May–Jul 2025	Invariant testing	PDF
Sherlock	Jul–Sep 2025	Cap protocol (contest, $126K pool)	PDF
Certora	Sep 2025	EigenLayer SSN (AVS)	PDF
Spearbit (PR Review)	Nov 2025	Incremental PR review	PDF

Note: Finding severity breakdowns are not publicly summarized. The audit PDFs are available in the cap-audits repository.

Bug Bounty

• Sherlock Bug Bounty: Active since October 24, 2025. Max payout: $1,000,000 USDC (10% of funds at risk). Critical severity only. Coded PoC required. Core contracts in scope include AccessControl, Delegation, FeeAuction, Oracle, Lender, Vault, FractionalReserve, and Minter
  • Link: https://audits.sherlock.xyz/bug-bounties/114
• Immunefi: Not listed
• Safe Harbor: Cap is not listed on the SEAL Safe Harbor registry

On-Chain Complexity

The Cap system is high complexity:

• Multi-contract architecture: 10+ core contracts (cUSD, stcUSD, Lender, Oracle, Access Control, Delegation, Fee Auction, Fee Receiver, Fractional Reserve, Adapters)
• Upgradeable proxies: cUSD, stcUSD, and Access Control are ERC-1967 upgradeable proxies (proxy admin set to address(0), upgrades via Access Control roles through Timelock)
• Symbiotic integration: Per-operator vault deployment, middleware for slashing/rewards, restaker delegation management
• Operator model: Offchain yield generation by institutional counterparties, onchain borrowing/repayment/liquidation
• Multi-oracle system: RedStone price feeds with staleness checks, Morpho oracle adapters
• Cross-protocol dependencies: Aave V3, Morpho, Symbiotic, RedStone, Pendle (for PT tokens)

Historical Track Record

• Launch date: August 19, 2025 — ~7 months in production
• cUSD supply: ~129M cUSD
• stcUSD supply: ~93.6M stcUSD (~76% staking ratio)
• stcUSD PPS: 1.0000 → 1.0531 (~5.3% cumulative return over ~7 months, ~9-10% annualized)
• Security incidents: None known
• Cumulative yield paid: $4M+ to stcUSD holders
• Peak TVL: ~$500M (January 2026)
• Current TVL: ~$288M (March 2026, includes restaker collateral)
• Protocol age: Relatively new — launched August 2025, audited from February 2025

Team track record:

• Benjamin918 (CEO): Previously scaled QiDAO from $0 to $400M TVL
• the_weso (CTO): Founding member of Beefy Finance (peaked at $1B+ TVL)

Funding: $11M total raised — $3M pre-seed, $8M seed (co-led by Franklin Templeton and Kraken Ventures), $1.1M community round on Echo. Investors include Franklin Templeton, Kraken Ventures, Blockchain Capital, a16z crypto, Dragonfly, Lightspeed Faction, Susquehanna (SIG), Nomura's Laser Digital, GSR, Robot Ventures, and others.

Funds Management

Yield Generation

stcUSD earns yield from two primary sources:

1. Fractional Reserve Deployment

Idle cUSD reserves are deployed via two Yearn V3 Fractional Reserve Vaults:

• USDC FRV (0x3Ed6aa32c930253fc990dE58fF882B9186cd0072): ~$75.2M USDC split between Morpho Gauntlet USDC Prime (~$50.2M, 67%) and Aave V3 USDC Lender (~$25.0M, 33%)
• wWTGXX FRV (0xb1c1C80FDbBde5B40264e1410550F3C864113bF8): ~$5.0M wWTGXX held via simple holder strategy (wWTGXX is itself a yield-bearing WisdomTree Government Money Market fund token)

2. Operator Borrowing Fees (~10% of yield)

Institutional operators borrow reserve capital at a dynamic hurdle rate (~5.2% average over 90 days). The hurdle rate is a function of:

• Market rate: Benchmarked against Aave USDC supply rate (competitive floor)
• Utilization rate: Piecewise linear adjustment that escalates sharply at high utilization

Operators generate yield through proprietary strategies: HFT, private credit, cross-market arbitrage, MEV capture, funding rate arbitrage, and token farming. Named operators include IMC Trading, Edge Capital, and Susquehanna Crypto.

Yield distribution (example with 15% operator yield, 8% hurdle rate):

• 8% flows to stcUSD holders (hurdle rate)
• 2% goes to restakers (negotiated premium)
• 5% remains as operator profit

Collateralization

• cUSD reserves: Backed by 2 whitelisted assets onchain: USDC (~$124M, 96%) and wWTGXX (~$5M, 4%). USDC dominates — the 40% single-asset concentration cap is not binding
• Reserve deployment: USDC Fractional Reserve Vault holds ~$75.2M (Morpho ~$50.2M + Aave ~$25.0M). ~$48.9M lent to operators. wWTGXX FRV holds ~$5M via holder strategy
• Operator collateralization: Each operator must secure over-collateralized Symbiotic delegations (default 50% LTV, 80% liquidation threshold) from restakers before borrowing
• Liquidation: Health Factor < 1.0 triggers a 12-hour grace period, then a 3-day liquidation window via permissionless Dutch auction. Liquidation bonus capped at 10%. Target: 125% health ratio post-liquidation
• Slashing: Instant slashing on two objective fault conditions: (1) failure to return expected amount, (2) insufficient active delegation. No governance intervention needed

Accessibility

• Deposits: Permissionless — deposit cUSD to receive stcUSD (ERC-4626 standard)
• Withdrawals: ERC-4626 standard. Redeem stcUSD for cUSD
• cUSD minting: Deposit whitelisted reserve assets at oracle price with 0.10% minting fee
• cUSD burning: Receive a single reserve asset at oracle price with dynamic fee
• cUSD redemption: Receive proportional basket of all underlying assets with fixed fee (lower than burn fee)
• Restaker withdrawal delay: Up to 14 days (epoch-based: 7-day epochs)

Provability

• stcUSD exchange rate: Onchain ERC-4626 standard (convertToAssets()/convertToShares()). Fully programmatic
• Reserve composition: Onchain — reserve assets held in the vault contracts are verifiable
• Fractional reserve positions: Onchain — Aave V3 aToken balances verifiable
• Operator positions: Partially onchain — borrowing/repayment recorded onchain, but operators' actual yield strategies are offchain and opaque
• Slashing conditions: Onchain verifiable — objective fault conditions, no governance discretion

Liquidity Risk

• Primary exit for stcUSD: Redeem stcUSD for cUSD via ERC-4626 withdraw()/redeem(). Then burn/redeem cUSD for underlying reserves
• cUSD exit mechanisms: Burn (receive single asset at oracle price, dynamic fee) or Redeem (receive proportional basket, fixed fee). The redemption mechanism is designed to prevent "last man standing" scenarios
• Morpho/Aave liquidity dependency: ~$75M USDC deployed across Morpho (~$50M) and Aave V3 (~$25M). Withdrawal depends on available liquidity in both protocols. Generally liquid, but in extreme scenarios (high utilization spikes), withdrawal may be delayed
• Morpho markets: stcUSD is collateral in Morpho markets with ~$42M supply TVL at ~91% utilization. High utilization means limited immediate liquidity for Morpho lenders
• No DEX liquidity pool required — exit is via protocol's own mint/burn/redeem mechanism
• Restaker withdrawal: Up to 14-day delay creates a potential friction point for operators needing to return capital
• Deposit/withdrawal: Permissionless, no lock period for stcUSD stakers

Centralization & Control Risks

Governance

Cap's governance flows through a 3-of-5 Gnosis Safe multisig → 24-hour TimelockController → Access Control system.

Governance hierarchy:

Position	Address	Configuration
Multisig	0xb8FC49402dF3ee4f8587268FB89fda4d621a8793	3-of-5 Gnosis Safe v1.4.1. PROPOSER + EXECUTOR + CANCELLER on Timelock
Timelock	0xD8236031d8279d82E615aF2BFab5FC0127A329ab	24-hour minimum delay. Holds DEFAULT_ADMIN_ROLE on Access Control
Deployer EOA	0xc1ab5a9593e6e1662a9a44f84df4f31fc8a76b52	Retains EXECUTOR_ROLE on Timelock (residual, never revoked)

Governance concerns:

1. Low multisig threshold: 3-of-5 is a relatively low threshold. Two dormant owners and one nested 1-of-2 Safe weaken the effective security
2. No public signer disclosure: Unlike Yearn (named, prominent DeFi signers), Cap's multisig owners are anonymous
3. Deployer EOA retains EXECUTOR_ROLE: While it cannot propose or cancel, it can execute already-queued Timelock proposals — a residual permission from deployment that was never revoked
4. Upgradeable contracts: cUSD, stcUSD, and Access Control are all upgradeable proxies. The upgrade path goes through the Timelock (24h delay), but the multisig can upgrade core token contracts

Programmability

Factor	Assessment
stcUSD PPS	Onchain ERC-4626, fully algorithmic
Vault operations	Permissionless staking/unstaking onchain
Reserve deployment	Automated via Fractional Reserve Vault to Aave V3
Operator strategies	Offchain — operators execute proprietary strategies. Borrowing/repayment recorded onchain, but actual yield generation is opaque
Hurdle rate	Onchain — dynamic function of market rate + utilization
Slashing	Onchain — objective fault conditions, permissionless liquidation

Programmability is mixed: Core vault mechanics (staking, PPS, reserve deployment, slashing) are fully onchain. However, the operator yield generation — which represents a portion of stcUSD yield — is offchain and opaque.

External Dependencies

Dependency	Criticality	Notes
Morpho	Critical	~$50.2M USDC deployed (67% of USDC FRV). Also stcUSD collateral market (~$42M). Core yield source
Aave V3 Core Ethereum	Critical	~$25.0M USDC deployed (33% of USDC FRV). Blue-chip protocol ($30B+ TVL)
Symbiotic	Critical	Restaking infrastructure securing operator positions. Per-operator vault delegation model
RedStone	High	cUSD price oracle (0.05% deviation threshold). Stale prices disable minting/burning
wWTGXX (WisdomTree)	Low	~$5M tokenized gov money market fund. Only 7 holders. Minimal DeFi track record
USDC (Circle)	High	Primary reserve asset
USDT, pyUSD, BENJI, BUIDL	Low	Listed in docs as potential reserve assets but not currently whitelisted onchain
Institutional Operators	High	IMC Trading, Edge Capital, Susquehanna Crypto generate yield via offchain strategies. Counterparty risk mitigated by Symbiotic restaking

Operational Risk

• Team: Cap Labs — Benjamin918 (CEO, ex-QiDAO $400M TVL) and the_weso (CTO, ex-Beefy Finance $1B+ TVL). Experienced DeFi founders but relatively small team
• Funding: $11M raised from tier-1 investors (Franklin Templeton, Kraken Ventures, a16z, Dragonfly, Blockchain Capital, Susquehanna). Strong institutional backing
• Governance: 3-of-5 multisig with anonymous signers and 24-hour timelock. No governance token. Protocol described as designed to "run autonomously via economic incentives"
• Documentation: Comprehensive documentation covering protocol mechanics, operator model, and security network. Contract source code verified on Etherscan
• Legal: No disclosed legal entity structure. Relies on operators being "regulated financial institutions" with legal agreements with restakers
• Incident response: No incidents to date. $1M Sherlock bug bounty provides responsible disclosure channel. Emergency admin role can pause/unpause protocol
• Operator transparency: Offchain yield strategies are opaque. While slashing provides recourse, users cannot independently verify operator positions

Monitoring

Key Contracts

Contract	Address	Monitor
stcUSD Vault	0x88887bE419578051FF9F4eb6C858A951921D8888	PPS (convertToAssets(1e18)), totalAssets(), totalSupply()
cUSD Token	0xcCcc62962d17b8914c62D74FfB843d73B2a3cccC	totalSupply(), paused(), Mint/Burn events
Fractional Reserve	0x3Ed6aa32c930253fc990dE58fF882B9186cd0072	totalAssets(), Aave aUSDC balance
Debt USDC	0xfa8C6D0b95d9191B5A1D51C868Da2BDFd6C04Ff9	totalSupply() — tracks outstanding operator debt
Multisig	0xb8FC49402dF3ee4f8587268FB89fda4d621a8793	Signer/threshold changes, submitted transactions
Timelock	0xD8236031d8279d82E615aF2BFab5FC0127A329ab	Scheduled/executed transactions, delay changes
Access Control	0x7731129a10d51e18cDE607C5C115F26503D2c683	Role grants/revocations, implementation upgrades

Critical Events to Monitor

• stcUSD PPS decrease — any decrease in convertToAssets(1e18) indicates a loss event
• cUSD supply changes — large mint/burn events may indicate reserve stress
• Operator liquidations — Lender contract liquidation events indicate operator defaults
• Contract upgrades — implementation changes on proxy contracts (24h timelock provides advance notice)
• Multisig changes — signer additions/removals, threshold changes
• Morpho/Aave USDC utilization — high utilization in either protocol could delay reserve withdrawal
• Oracle staleness — stale RedStone prices disable minting/burning
• Reserve composition — significant changes in backing asset ratios

Reassessment Triggers

• Time-based: Reassess in 6 months (September 2026) or after 12 months of production history
• TVL-based: Reassess if TVL exceeds $500M or changes by more than ±50%
• Incident-based: Reassess after any exploit, operator default, slashing event, or governance incident
• Governance-based: Reassess if multisig threshold or signers change, or if deployer EOA's EXECUTOR_ROLE is revoked (positive signal)
• Operator-based: Reassess if new operators are onboarded or existing operators experience issues
• Protocol-based: Reassess if Morpho or Aave V3 USDC utilization consistently exceeds 90% or if either experiences a security incident
• Upgrade-based: Reassess after any contract upgrade via Timelock