Trail of Bits
Audit Open Original ↗

CAP Labs Covered Agent Protocol

Type

Security review

Client

CAP Labs

Date

2025-05

Domain

Blockchain

Effort

9 wks

Section

Ethereum/EVM

Trail of Bits's security review of CAP Labs (May 2025) identified 29 issues: 7 high, 8 medium, 6 low, and 8 informational.

Findings · 29

  1. 1 Missing input validation in FeeAuction.buy allows payment without asset transfer Medium
  2. 2 Incorrect oracle staleness period leads to price feed DoS High
  3. 3 Vaults can be added to the middleware multiple times, leading to double-counted delegations Medium
  4. 4 StakedCap yield distribution DoS through timer manipulation Medium
  5. 5 Inconsistent balance tracking in vault creates DoS for asset borrowing High
  6. 6 Unsafe asset removal without borrow validation Medium
  7. 7 Initial auction start price can be lower than minimum start price Low
  8. 8 Immediate liquidation possible when reducing an agent’s liquidation threshold Informational
  9. 9 FeeAuction’s buy function allows purchasing at sub-optimal prices by adding tokens during an active auction Low
  10. 10 Missing event emissions for critical parameter changes in VaultAdapter Informational
  11. 11 VaultAdapter’s setSlopes function permits zero or maximum kink values that cause division by zero Informational
  12. 12 Unvalidated _vault address in VaultAdapter allows interest rate manipulation High
  13. 13 Fee auction allows buying zero assets, leading to front-running attacks High
  14. 14 Discrepancy between health calculation and slashable collateral computation High
  15. 15 Reward distribution enables front-running attacks and reward siphoning High
  16. 16 Unaccounted external vault investment losses can create withdrawal shortfalls Medium
  17. 17 Wrong capTokenDecimals value used in StakedCapAdapter.price causes inaccurate prices High
  18. 18 Liquidation mechanism can be permanently disabled by misconfigured grace and expiry periods Medium
  19. 19 Oracle update front-running allows extraction of value from vaults Medium
  20. 20 Asset removal does not reset isBorrowing flag for agents Informational
  21. 21 Invalid network registration in Delegation.registerNetwork can cause DoS Low
  22. 22 Lack of verification on ERC4626 vault withdrawal amounts Informational
  23. 23 Agent LTV can be configured equal to or higher than liquidation threshold Low
  24. 24 ZapOFTComposer._lzCompose may fail with USDT Informational
  25. 25 Fee auction allows assets to be purchased for free Informational
  26. 26 Small borrows can create economically unviable liquidatable positions leading to bad debt accumulation Low
  27. 27 Interest rate manipulation through frequent mints and burns Low
  28. 28 Protocol lacks bad debt management mechanisms, risking permanent insolvency Medium
  29. 29 Reward distribution can be tricked by front-running notify calls Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related