ERC-4626 virtual-share offset (OZ ≥4.9)

Cap (cUSD / stcUSD)'s assessment for RD-F-074 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

stcUSD (0x88887bE419578051FF9F4eb6C858A951921D8888) implements ERC4626Upgradeable (confirmed by Etherscan proxy read: implementation 0x42c0e0ef7c2f35de073f4d6f9c0e4483429c3d31). Built on OZ Contracts v5.2.0 (data cache github.oz_contracts_version). OZ v5.2.0 includes the virtual-share offset mechanism (introduced in OZ v4.9). However, whether the Cap implementation overrides _decimalsOffset() with a value > 0 could not be confirmed from available public sources — the OZ default is 0, which provides minimal inflation-attack protection via the +1 virtual asset/share. The 1-wei seed (F071) provides compensating first-depositor protection but is not equivalent to a high decimal-offset virtual share floor. Yellow: mitigant present (1-wei seed + OZ v5.2), specific offset unverified.

Sources #

Internal
Data cache — defillama.tvl_usd, tvl_cov_90d, tvl_30d_change_pct.research/protocols/cap/00-data-cache.jsonretrieved 2026-05-17
Etherscan
Etherscan — stcUSD proxy implements ERC4626Upgradeablehttps://etherscan.io/address/0x88887bE419578051FF9F4eb6C858A951921D8888#readProxyContractretrieved 2026-05-17
GitHub
Sherlock audit 2025-07-cap README — known issue: 1 wei vault seedinghttps://github.com/sherlock-audit/2025-07-capretrieved 2026-05-17

Methodology #

Determine whether ERC-4626 vaults use OpenZeppelin ≥4.9 virtual-share offset pattern to prevent first-depositor share-inflation.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-074 score yellow collected_at 2026-05-17 10:56:24