Dependency had malicious-release incident (last 90d)

Cap (cUSD / stcUSD)'s assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No malicious-release security advisories found for any Cap dependencies (LayerZero devtools, OpenZeppelin Contracts 5.x, forge-std, openzeppelin-foundry-upgrades) in the trailing 90 days as of 2026-05-17. OZ 5.2.x is a recent stable release with active maintenance. No GHSA advisory flags found for any used package.

Sources #

GitHub
Cap Contracts .gitmodules — Dependency List.gitmodules — dependency list (forge-std, layerzero-devtools, layerzero-v2, etc.); no advisory flagsretrieved 2026-05-17
GitHub
Cap Contracts package.jsonpackage.json — @openzeppelin/contracts ^5.2.0; no active CVE/GHSA for OZ 5.2.xretrieved 2026-05-17

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-134 score green collected_at 2026-05-17 10:56:24