Reward Amounts

Critical

• 1,000,000 USDC maximum payout
• Payout shall not exceed 10% of funds at risk at time of submission

Actual reward amounts will be decided upon vulnerability validation and severity assessment by Sherlock, up to the caps listed above. Lower-severity issues (e.g. Low or Informational) are not eligible for rewards under this program.

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions
• Only vulnerabilities in core contracts qualify for the Critical severity

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide
  should overrule the definitions above
• A coded Proof of Concept (POC) with instructions to run the POC is required
• If the protocol team has the ability to take measures (upgrade the
  contract, pause the contract, etc.) against an exploit, the potential
  damage is limited to a 1-hour exploit period before it is assumed that
  the protocol team takes measures to prevent further damage

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Scope

Chains

• Ethereum Mainnet

Contracts

• Core Contracts (and inherited contracts):
  • AccessControl.sol
  • Delegation.sol
  • FeeAuction.sol
  • FeeReceiver.sol
  • Oracle.sol
  • Lender.sol
  • Vault.sol
  • FractionalReserve.sol
  • Minter.sol

Out of Scope

• Contracts that are not deployed contracts
• Any known issues already identified in prior audits
• Issues related to front end will be judged to the discretion of Cap team
• Gelato
• External protocol integrations
• Issues solely related to missing or incorrect NatSpec comments, outdated documentation, or comment hygiene

Previous Audits

• https://docs.cap.app/resources/audits

Additional Context

Cap uses Shared Security Networks (Symbiotic and EigenLayer) to secure collateral for borrowing operations.

• Price feed oracles: Chainlink, Redstone

Trusted protocol roles

• Protocol admins (Msig, Developer EOA) are trusted

Protocol Resources

• https://docs.cap.app
• https://github.com/cap-labs-dev/cap-contracts

Eligibility

To be eligible for a reward under this program, you must meet the following criteria:

• No sanctions: You are not on any sanctions list, including the U.S. Treasury Department's OFAC Specially Designated Nationals (SDN) list.
• Legal capacity: You are legally permitted to participate in bug bounty programs and to receive funds in the jurisdiction you are operating from.