★ Audit scope mismatch
Cap (cUSD / stcUSD)'s assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
9 audit engagements confirmed (Zellic 2025-03-17, ToB 2025-05-15, Electisec 2025-05-25, Spearbit 2025-06-23, Recon 2025-07-04, Sherlock 2025-09-03, Certora 2025-09-15, Spearbit PR review 2025-11-27, Octane 2026-03-24). Sherlock competitive audit commit confirmed: 0a57fbfdba7f54e516b5ed412548b7e415f3739d. No commit SHAs published on docs.cap.app/resources/audits — PDFs inaccessible for SHA extraction. Octane 2026-03-24 is the latest audit; main branch commits extend to 2026-05-08 (44 days of post-audit development including FalconXUSDC Oracle, Tempo Bridge, OFT settings). check-proxy-implem.txt shows one implementation address mismatch (expected 0xce21... vs actual 0x568A...) consistent with a legitimate upgrade. Score yellow due to post-audit development gap and inability to verify all audit-to-bytecode commit SHA matches.
Sources #
- GitHubCap Audits Repositorycap-labs-dev/cap-audits repository — 9 PDF audit reports listedretrieved 2026-05-17
- Cap Contracts Commit Historycap-contracts commits/main — last commit 2026-05-08 (post-Octane dev)retrieved 2026-05-17
- Cap Protocol Audit Resourcesdocs.cap.app/resources/audits — audit listing without commit SHAsretrieved 2026-05-17
- Cap Contracts Proxy Implementation Checkcheck-proxy-implem.txt — implementation address verification (one mismatch noted)retrieved 2026-05-17
- Sherlock Audit 2025-07-cap (Cap Protocol)sherlock-audit/2025-07-cap — Sherlock competitive audit commit 0a57fbfdba7f54e516b5ed412548b7e415f3739dretrieved 2026-05-17
Methodology #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
See the full factor methodology and distribution across all protocols →