Reentrancy guard on external-calling functions

Cap (cUSD / stcUSD)'s assessment for RD-F-014 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No explicit nonReentrant modifier found in Vault.sol, Lender.sol, VaultLogic.sol, BorrowLogic.sol, FractionalReserve.sol, or SymbioticNetworkMiddleware.sol. BorrowLogic.sol: debt token minted and reserve debt incremented BEFORE external calls to IVault.borrow() and IDelegation.setLastBorrow() — partial CEI compliance, but delegation call is post-state. ERC4626 paths in StakedCap.sol have OZ-provided protections. Multiple Tier-1 audits (ToB, Spearbit, Sherlock) covered borrow/mint/redeem paths. No reentrancy finding has been publicly disclosed, suggesting auditors accepted the pattern or found mitigations. Yellow due to absence of explicit guards without PDF confirmation of accepted-risk status.

Sources #

GitHub
BorrowLogic.sol — Reentrancy PatternBorrowLogic.sol — external calls (IVault.borrow, IDelegation.setLastBorrow) after partial state updates, no nonReentrantretrieved 2026-05-17
Audit
Spearbit LSR Audit — Borrow Path Coverage2025-06-23-Spearbit.pdf + 2025-09-03-Sherlock.pdf — Tier-1 audits covered borrow/mint paths (PDFs inaccessible for finding confirmation)retrieved 2026-05-17

Methodology #

Determine whether all state-mutating functions that perform external calls carry `nonReentrant` or an equivalent reentrancy guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-014 score yellow collected_at 2026-05-17 10:56:24