Security Best Case
Cap
A stablecoin that launched with all four layers of the security stack in place
Most protocols ship one or two layers of security. The good ones ship three. Cap shipped four. Pre-deployment review (audits), per-change review (continuous security), runtime detection (monitoring), and user-side recovery (insurance). On top of that, a $1M bounty closes a fifth layer of defense.
Audits
8 independent audits
Layered verification across different firms and methodologies (manual, formal, contest, invariant).
| Date | Firm | Tier | Scope | Report |
|---|---|---|---|---|
| 2025-02-17 | S | Smart contract | PDF → | |
| 2025-03-03 | S | Smart contract | PDF → | |
| 2025-04-14 |  Spearbit | A+ | Smart contract | PDF → |
| 2025-05-25 |  Electisec | — | LayerZero vault | PDF → |
| 2025-05-28 | — | Invariant testing | PDF → | |
| 2025-07-10 | A | Audit contest | PDF → | |
| 2025-09-15 | S | EigenAVS formal verification | PDF → | |
| 2025-11-27 | Spearbit | A+ | Smart contract | PDF → |
Operational Setup
Operational security setup
Multi-layer controls designed so a single key compromise does not translate into immediate loss.
1. Multi-layer pre-deployment review (audits)
If a single major firm misses one Critical, you are done. Cap stacked seven firms so each one's blind spots are covered by the others. A quarterly cycle ensures it is not a one-shot pass.
Four S-tier firms in parallel
Trail of Bits, Zellic, Certora, and Spearbit. Each is normally considered enough on its own. Their strengths are complementary (ToB's research depth, Zellic's CTF instinct, Certora's formal proofs, Spearbit's boutique reviews) so very little blind spot remains.
Mixed methodologies on purpose
Manual review (ToB, Zellic, Spearbit), formal verification (Certora), contest (Sherlock), and invariant testing (Recon). Re-examining the same code with different tools means each tool's blind spots get caught by the next. Decisively different from projects that lean on a single methodology.
Quarterly audit cycle
Not a one-time pre-launch pass: Cap commits to recurring quarterly audits. Code is alive and external dependencies change, so a single audit can not stay valid forever.
Spearbit PR review follow-up (Nov 2025)
Six months after the main audit, Spearbit returned to review changes at PR granularity. Putting every post-launch change through external review is unusual.
2. Per-change continuous review
Code changes between scheduled audits are the highest-risk window. Cap closes that gap with automation.
Octane Security analyzes every PR
Octane's LLM audit agent analyzes pull requests automatically as they land. Small changes that would not warrant a fresh formal audit still get a first pass before merge. Resolves the practical limit that you can not send every small PR back to a human audit firm.
Slither also runs in CI
If Octane is strong on LLM reasoning, Slither is strong on known-pattern matching. The two are complementary, so running them in parallel is the normal posture. Triggered via the yarn test:slither script in CI.
3. Runtime detection
No matter how thick the audits, no audit fully simulates production usage. So independent runtime detection is required.
Hypernative real-time threat detection
Real-time monitoring of TVL swings, anomalous transactions, governance actions, and mint outliers. Automated alerts must reach the war room before humans notice. The lag between incident start and response start translates directly into loss size.
4. External whitehat incentives
Internal audits ending does not remove the need for external eyes. Post-launch is when risk is highest, and that is when the whitehat incentive must be large enough to outpace blackhats.
Sherlock standing bounty up to $1M
Up to $1M per Critical. At that scale, whitehats have a reasonable case for spending time on review. Smaller bounties may signal good faith for new projects but rarely move the needle for someone who can find a real Critical.
5. End-user coverage
Even if all four layers above are bypassed, user funds should still be recoverable. A pre-arranged insurance channel for users is far more credible than ad-hoc post-incident treasury commitments.
OpenCover integration provides user-side insurance options
Users can directly purchase coverage for Cap exploits, depegs, and exposure to integrated Pendle markets. Designing coverage that includes risk from integrated external protocols is a detail most teams skip.
Foundation: contract-level defensive circuits
The base layer underneath all five layers. Authority separation, time delays, and pause circuits so a single key compromise does not immediately become loss.
Function-level multisig
Not the common owner-everything pattern. Each sensitive function has its own permission group, so a single key compromise can not trigger every action. Blast radius is intentionally narrow by design.
OpenZeppelin TimelockController, 86,400 second (1 day) minimum delay
Admin actions never execute immediately. Users get a 24-hour withdrawal window before any change, and even a key compromise is responded to within those 24 hours.
Dual pause + emergency withdraw
pauseAsset (per-asset) and pauseProtocol (whole protocol) are separated, giving flexibility for both day-to-day operation and emergency response. emergency withdraw is decoupled from main logic so users can recover their assets even when the protocol is paused.
Oracle: primary + backup + staleness auto-pause
Oracle manipulation is the most common DeFi exploit vector. Cap layers a backup adapter, staleness validation, and 8-decimal normalization, and mint and burn auto-pause when the price is stale. The key design choice is automatically falling into safe mode without human intervention.
Full contracts and audit reports published on GitHub
cap-contracts and cap-audits repositories are public, and all eight reports can be verified directly. Verifiability is the baseline of trust.
Takeaway
Shipping all four security layers (pre-deployment review, continuous review, runtime detection, user insurance) on top of a $1M bounty and contract-level defenses is rare. Most protocols launch with only one or two. What is unusual about Cap is not the depth of any single layer but the number of layers and the decision to land all of them before launch. A reference for the upper bound of what new protocols can realistically achieve as a baseline.