Simple Summary

This ARFC proposes onboarding stcUSD to the Aave V3 MegaETH instance.

stcUSD was included in the original MegaETH asset review scope but was deferred from the initial launch while technical and risk reviews continued. LlamaRisk has now published its technical assessment of cUSD and stcUSD. The corresponding risk assessment and recommended Aave V3 parameters, along with an updated technical assessment will be provided following this ARFC.

Motivation

Aave V3 is now live on MegaETH, and the market has moved beyond the initial launch configuration. The next step is to expand coverage for assets that can grow stablecoin and yield-bearing collateral usage on the instance.

stcUSD is the staked, yield-bearing component of Cap Protocol. Users mint stcUSD by staking cUSD, with yield generated from the underlying cUSD collateral and protocol-level yield mechanisms.

As of June 1, 2026, Cap reports $399.42M in total TVL, 113.17M cUSD in circulation, 81.69% of cUSD staked into stcUSD, and a 5.26% stcUSD 7-day APY. This places stcUSD in a competitive range relative to base stablecoin supply rates currently visible on Aave.

Supplying stcUSD as collateral lets users retain exposure to the stcUSD yield profile while borrowing stablecoins from Aave for looping or other strategies across MegaETH DeFi. This can create incremental borrowing demand for existing stablecoins on the MegaETH market, making the instance more attractive for stablecoin suppliers over time.

Onboarding stcUSD would give Cap users a direct Aave venue on MegaETH and give Aave V3 MegaETH a yield-bearing stablecoin collateral type with existing protocol usage. LlamaRisk has already provided the technical assessment for cUSD and stcUSD. The risk assessment and recommended Aave V3 parameters will follow this ARFC.

Specifications

This ARFC proposes to onboard stcUSD as a collateral asset to the Aave V3 MegaETH market.

• Market: Aave V3 MegaETH

• Asset: stcUSD

• Token Address: 0x88887bE419578051FF9F4eb6C858A951921D8888

• Reference Asset: cUSD

• cUSD Token Address: 0xcCcc62962d17b8914c62D74FfB843d73B2a3cccC

Risk parameters will be provided by LlamaRisk

Next Steps

1. Collect community and service provider feedback on the proposed onboarding of stcUSD to Aave V3 MegaETH.

2. LlamaRisk will provide the asset risk assessment and recommended Aave V3 parameters.

3. If consensus is reached, proceed to ARFC Snapshot.

4. If the ARFC Snapshot passes, proceed to AIP for final DAO approval and execution.

Disclaimer

Aave Labs is presenting this proposal as a service provider to the Aave DAO under the budget approved by the Aave Will Win framework. Aave Labs is contributing this proposal as part of its approved scope of work in support of DAO operations.

Copyright

Copyright and related rights waived via CC0.

For bringing this ARFC forward.

I have a few security and risk-related questions that I believe the community should consider before moving to Snapshot:

1. MegaETH-Specific Audit:
   Has stcUSD’s deployment on MegaETH been independently audited? The Certora and Sherlock audits covered Ethereum mainnet and EigenLayer integration — but MegaETH is a newly launched chain (Frontier mainnet, December 2025). Are there any MegaETH-specific contract audits available?

2. Circular Dependency Risk (Aave ↔ Cap Protocol):
   Over 80% of Cap Protocol’s reserves (~$360M+) are already deployed on Aave V3 Core Ethereum, and 90%+ of stcUSD yield comes from Aave. Now stcUSD is being proposed as collateral on Aave MegaETH. This creates a circular dependency — if Aave experiences a major exploit or liquidity crisis, Cap Protocol would be directly impacted, which in turn affects stcUSD’s value as collateral on Aave itself. How does the team plan to mitigate this systemic contagion risk?

3. Oracle Infrastructure on MegaETH:
   What price feed solution will be used for stcUSD on MegaETH? Is Chainlink or a similar battle-tested oracle available on MegaETH for this asset? Given the yield-bearing nature of stcUSD, exchange rate manipulation is a real concern.

4. Liquidation Bot Readiness:
   MegaETH is a high-performance, real-time chain. Are liquidation bots and keepers already deployed and tested on MegaETH for stcUSD? Thin liquidity + an immature chain could lead to failed liquidations and bad debt for Aave.

5. LlamaRisk Parameters Timeline:
   The ARFC mentions that risk parameters will be provided by LlamaRisk “following this ARFC.” Can we get an estimated timeline for when these parameters will be shared, so the community has adequate time to review before the Snapshot vote?

Support the direction of this proposal but believe these security clarifications are essential before proceeding.

I am generally supportive of onboarding stcUSD on MegaETH, but only with a conservative risk posture at launch.
stcUSD is more complex than a plain stablecoin because its value and utility depend on Cap’s protocol design, yield mechanics, and exit liquidity.
The proposal is coherent from a product perspective, but it should remain conditional on a full review of the oracle path, governance controls, and redemption robustness.
I would recommend low initial caps, conservative collateral parameters, and a gradual scale-up rather than broad exposure from day one.
The main risk is not only depeg, but also the correlation between yield, liquidity, and looping behavior on a still-young market.
If LlamaRisk confirms conservative parameters and no material weaknesses are found in Cap, I would consider the integration acceptable under enhanced monitoring.
As it stands, I would not support a launch with no limits or a material initial exposure.

I support onboarding stcUSD with conservative initial parameters. Cap Protocol has real usage — $399M TVL, 113M cUSD in circulation, 81.7% stake rate, 5.26% 7-day APY — and there’s a clear product case for a yield-bearing stablecoin collateral type on MegaETH. MconnectDAO’s questions about circular dependency, oracle infrastructure, and liquidation readiness are the right ones, and they need answers before Snapshot.

---

The case for onboarding

Three things work in this proposal’s favor:

1. Cap Protocol has demonstrated product-market fit at scale. $399M TVL and an 81.7% stake rate into stcUSD means users are actively choosing the yield-bearing form over the base stablecoin. The 5.26% APY is competitive without being suspiciously high — it sits within a plausible range for stablecoin lending yield. This is organic demand, not airdrop-juiced TVL that evaporates after token distribution.

2. MegaETH needs yield-bearing collateral diversity. The instance launched with a limited asset set. Adding stcUSD gives suppliers a productive collateral option and creates incremental borrowing demand for stablecoins already listed on MegaETH. Lending markets grow when there’s a reason to borrow, and looping yield-bearing stablecoins against base stablecoins is one of DeFi’s most reliable demand drivers.

3. The deferral from initial launch was the right call — and so is revisiting now. stcUSD was in the original MegaETH review scope but deferred pending technical assessment. LlamaRisk has now completed that assessment. Proceeding through ARFC is the appropriate next step.

---

Where the risk concentrates

MconnectDAO identified the central structural issue: circular dependency between Cap Protocol and Aave. This deserves precise quantification, not just acknowledgment.

Circularity: Cap’s reserves live on Aave

Over 80% of Cap Protocol’s reserves (~$360M+) are deployed on Aave V3 Core on Ethereum. Over 90% of stcUSD yield comes from Aave. Onboarding stcUSD to Aave MegaETH creates a reflexive loop:

• stcUSD generates yield because its reserves earn on Aave.
• stcUSD is accepted as collateral on Aave.
• If Aave experiences a liquidity event or exploit on its Core instance, Cap’s yield drops or freezes, stcUSD’s value proposition degrades, and the collateral backing Aave MegaETH loans loses its yield anchor simultaneously.

This is a contagion path. The DAO should know exactly what percentage of stcUSD yield derives from Aave lending rates versus other sources, and whether Cap has a reserve diversification timeline. If 90%+ of yield comes from Aave and the collateral sits on Aave, the DAO is essentially underwriting its own risk in both directions.

When a protocol’s primary revenue source and its collateral venue are the same entity, the demand architecture scores poorly for independence — a single-source yield dependency creates a correlated failure mode that standard LTV and liquidation parameters don’t capture.

Rehypothecation depth

stcUSD stacks three wrapping layers:

• Layer 1: USD → cUSD (Cap Protocol mint)
• Layer 2: cUSD → stcUSD (staking wrapper)
• Layer 3: stcUSD as Aave collateral

Each layer introduces an independent failure vector. Combined with the circular yield dependency, the effective risk is higher than the factor score alone suggests.

Oracle infrastructure on a young chain

MconnectDAO’s oracle question is critical. MegaETH launched its Frontier mainnet in December 2025 — roughly six months ago. For a yield-bearing asset like stcUSD, the oracle needs to track the exchange rate between stcUSD and its underlying cUSD. Exchange rate manipulation on thin-liquidity chains is a documented attack vector (see: Euler v1 exploit, Mango Markets).

The risk assessment should specify:

• Whether Chainlink feeds are live for stcUSD on MegaETH
• What the heartbeat and deviation thresholds are
• Whether an exchange rate oracle or market price oracle is being used
• What fallback mechanism exists if the primary feed fails

Liquidation infrastructure maturity

Spocky’s concern about liquidation readiness on a young chain is valid. Aave’s liquidation model assumes competitive liquidator participation. On a six-month-old chain, the liquidator set may be shallow. The risk parameters should account for this:

• Lower LTV and higher liquidation bonus than equivalent assets on Ethereum mainnet
• Conservative supply caps that can be raised via Risk Stewards as liquidator coverage is validated
• Monitoring for liquidation latency and success rate post-launch

---

Recommendations for LlamaRisk’s parameter assessment

1. Quantify the circular dependency. What percentage of stcUSD yield derives from Aave V3 Core? What happens to the stcUSD exchange rate if Aave Core utilization spikes or reserves are frozen? Model the scenario explicitly.

2. Conservative initial caps. Both Spocky and MconnectDAO flagged this. Start low, scale via Risk Stewards. The asset is unproven on this chain.

3. Oracle specification before Snapshot. The community should see the oracle architecture — feed type, heartbeat, deviation threshold, fallback — before voting.

4. Liquidation readiness assessment. Confirm that liquidation bots are deployed, tested, and active on MegaETH for stcUSD before the AIP executes.

---

Position

Support with conditions. The product case is real, the usage is organic, and MegaETH benefits from the asset. But the circular dependency between Cap and Aave is a structural risk that standard LTV parameters don’t address. LlamaRisk’s assessment should explicitly model the reflexive loop, and initial parameters should reflect the young-chain premium — lower caps, lower LTV, higher liquidation bonus than Ethereum mainnet equivalents.

– Robby G. | Tokedex.org

Hi, Jae from the Cap team here. Thanks for the proposal and the feedback @MconnectDAO, @robtg4. To address some of the points brought up here:

1. Circular dependency: we acknowledge that the cUSD being deployed onto Aave can create contagion risk and have since diversified the reserve. The long term strategy is for the reserve to be backed by tokenized treasuries. The current reserve composition can be monitored here: https://cap.app/vault/reserves/cUSD

2. MegaETH oracle structure: stcUSD Chainlink oracle on MegaETH is live: Price Feed Contract Addresses | Chainlink Documentation

3. MegaETH specific audits: stcUSD follows a standard OFT implementation with an ERC 20 permit using LayerZero’s inheritance cap-contracts/contracts/token/OFTPermit.sol at main · cap-labs-dev/cap-contracts · GitHub

Thanks for the detailed response. A few follow-up thoughts:

Reserve diversification Appreciate the transparency via the live reserve dashboard. It would strengthen confidence if the governance proposal could commit to a minimum threshold (e.g., <30% cUSD exposure in the reserve) as an on-chain parameter or at least a stated policy.

Oracle Good to see Chainlink live on MegaETH. Can you clarify the oracle update frequency and deviation threshold? Given MegaETH’s high-throughput environment, a stale price window could still pose liquidation risk during volatility.

OFT audit scope – The LayerZero OFTPermit inheritance is noted. Has the MegaETH-specific deployment been independently audited (not just the base OFT contracts)? Cross-chain mint/burn paths often introduce chain-specific edge cases.

Overall, the team’s responsiveness is appreciated. Pending LlamaRisk’s full assessment, these clarifications would help the community make a more informed decision. Supportive of moving forward if these concerns are addressed.

Great points. To follow up:

1. Again, there is no Aave exposure. By design, there is a 10% threshold enforced by utilization. https://cap.app/asset/1/USDC Happy to discuss further if there are specific asks.

2. 0.5% deviation threshold and 24hr heartbeat

• capUSD-USD: 0x72b127332BEC8722ec964235D33658A72E451754
• stcUSD-cUSD: 0x7055a15452B19D193fbA6ec2FF6bf7B515cf577d

3. We’re using LayerZero audited code with no changes in the base contracts other than the standard OFTPermit inheritance. Can get a third party review on this upon further request

This analysis serves as an addendum to our initial analysis of Cap Protocols cUSD and stcUSD. The main areas covered include

1. A technical review of all the smart contracts of the cUSD and stcUSD and their main dependencies, including Layerzero cross-chain configs.
2. An update on material changes and liquidity conditions
3. Parameter recommendations

Summary

LlamaRisk supports the onboarding of stcUSD. Although both Cap assets have been evaluated, following discussions with service providers and the respective teams, the preference is to commence onboarding with stcUSD only at this stage.

This is a technical review of the key smart contracts for cUSD and stcUSD, along with their main dependencies.

Asset Description

Cap USD (cUSD) is a U.S. dollar stablecoin with underlying reserves consisting of institutional-grade stablecoins, including USDC and WTGXX. cUSD is 1:1 collateralized by these onchain assets and can be redeemed on the same basis.

Staked Cap USD (stcUSD) is a yield-bearing stablecoin that generates yield from underlying cUSD collateral, allocated to various yield strategies curated by institutional investors, called ‘Operators’.

Technical Analysis

The focus of our technical analysis includes the following aspects, critical for the correct and secure integration with Aave:

• A recommendation of a pricing strategy to be used in the Aave integration.
• Mechanism to update the exchange rate of the asset for the underlying.
• Analysis of the access control (ownerships, admin roles) and the nature of the entities involved in the system. Regarding the table permissions’ holders and their criticality/risk, it is done following these guidelines:

Contracts

The following is a non-exhaustive overview of the main smart contracts for cUSD and stcUSD related to the main protocol functions, i.e., collateralized borrowing.

CapToken

Deployed behind an upgradable ERC1967Proxy contract, the CapToken contract integrates minting and burning operations for cUSD and asset management functions for underlying assets within its vault structure. Implementing Oppenzepplin’s proxy standard, the implementation contract directs to this address. CapToken inherits from the Vault and UUPSUpgradeable contracts, which affects upgrades via the proxy.

Operations

1. Mint: Any user can mint new CapTokens by depositing an underlying asset by calling the mint() function. Internally, getRemainingMintCapacity() checks the deposit cap and truncates _amountIn if it exceeds the remaining capacity. The contract then calls Minter.getMintAmount() to calculate amountOut and fee. Mint fees set are sent to the insurance fund.

   1. The insurance fund is a 2/3 Multisig, and currently holds $500K denominated in cUSD and USDC.

2. Burn: Users can burn vault tokens to receive a single underlying asset by calling the burn() function. Internally, getBurnAmount() calculates the underlying amountOut and fee. The vault verifies that it has a sufficient balance of the underlying asset via the divest() function. Finally, VaultLogic.burn() enforces slippage and deadline checks, with the fee retained in the vault and amountOut sent to the receiving address.

3. Redeem: Users can redeem vault tokens for a proportional share of every underlying asset in the vault by calling the redeem() function. The contract calls _burn() to destroy the vault tokens upfront, and the vault then verifies that a sufficient balance of each underlying asset is available. Fees are retained in the vault.

4. Borrow: Permissioned addresses with borrow access can borrow underlying assets by calling the borrow() function. The checkAccess() modifier restricts callers. divest() verifies the vault has sufficient balance. Finally, VaultLogic.borrow() updates totalBorrows[_asset] and transfers _amount to _receiver.

5. Repay: Permissioned addresses with repay access can repay borrowed assets by calling the repay() function. The checkAccess(this.repay.selector) modifier restricts callers. VaultLogic.repay() decreases totalBorrows[_asset] and transfers _amount of _asset from the message sender to the vault (requires prior ERC‑20 approval). The function does not verify that the repayer is the original borrower.

6. Add/Remove Asset: Admin addresses can add or remove an underlying asset to the vault by calling the addAsset(_asset) or removeAsset(_asset) functions. The checkAccess() modifier restricts callers.

7. Pause/Unpause Asset: Admin addresses can pause and unpause a specific asset by calling the unpauseAsset(_asset) or pauseAsset(_asset) functions. The checkAccess() modifier restricts callers.

8. Pause Protocol: Permissioned users can pause the entire protocol by calling the pauseProtocol() function. The checkAccess() modifier restricts callers. The internal _pause() function from OpenZeppelin’s PausableUpgradeable activates the whenNotPaused modifier on mint, burn, redeem, borrow, and repay, temporarily locking all user funds.

9. Unpause Protocol: Permissioned users can unpause the entire protocol by calling the unpauseProtocol() function. The checkAccess() modifier restricts callers. The internal _unpausefunction deactivates the global pause, resuming all operations.

10. Upgrade: Admin can upgrade the proxy implementation logic by calling: upgradeTo(address newImplementation).

Access Control

All permissioned functions are validated by the checkAccess method in the Access Control contract, which determines whether the caller can operate.

stakedCap

Deployed behind an upgradable ERC1967Proxy contract, StakedCap is an ERC4626 yield-bearing vault that integrates minting and burning operations for staked Cap tokens and manages the vesting logic for newly accrued yield from the underlying asset.

Operations

1. Deposit and Mint: Users can deposit the underlying cUSD and receive stcUSD tokens by calling deposit(). It calculates shares via previewDeposit(assets) and calls _deposit() , which updates storedTotal += assets. Minting is enacted by mint() function, calculating the required assets via previewMint(shares) and calling the same _deposit logic. Staked Cap tokens are minted to the receiver.
2. Withdrawal and Redeem: Users can redeem shares for underlying assets by calling redeem(), which burns a specific number of shares and sends the underlying assets. Uses previewRedeem(shares) to calculate assets returned. Users can withdraw using withdraw(), which withdraws a specific amount of underlying assets. Uses previewWithdraw(assets) to calculate shares burned.
3. Yield Notification: Anyone can notify new yield accrual by calling notify(), which starts linear unlock of newly deposited yield.
4. Upgrade: Admin can upgrade the proxy implementation logic by calling: upgradeTo(address newImplementation), inherited from UUPSUpgradeable.

Access Control

DebtToken

The DebtToken contract integrates minting and burning operations for debt tokens representing borrowed assets, with automatic interest accrual and interest rate management functions within its lending market structure. The contract relies on an oracle to fetch market, benchmark, and utilization rates, which determine the dynamic interest rate applied to all debt positions. Each mint or burn operation triggers an index update that compounds interest and recalculates the current interest rate.

Operations

1. Mint: Lender can mint debt tokens representing borrowed assets by calling mint()==,== minting debt tokens to a specified address. Internally calls _updateIndex() to refresh the accrual index before minting, then _mintScaled(), which scales the minted amount by the current debt index.

2. Burn: Lender burns debt tokens (repays debt) by calling burn(). Internally calls _updateIndex() to refresh the accrual index before burning, then _burnScaled(), it scales the burned amount by the current debt index.

3. Interest Rate Accrual: The contract automatically accrues interest when any mint or burn occurs by calling _updateIndex()

4. Debt Calculation: View functions for accrued interest include;

   1. balanceOf(): Returns _balanceOfScaled(), which multiplies the user’s scaled balance by the current index.
   2. totalSupply(): Returns _totalSupplyScaled(index()), showing total debt, including accrued interest.
   3. index(): Returns the current debt index.

5. Upgrade: Admin can upgrade the proxy implementation logic by calling: upgradeTo(address newImplementation), inherited from UUPSUpgradeable.

Access Control

Oracle

The Oracle contract unifies price and rate oracle functionality, providing asset prices, market rates, benchmark rates, and utilization rates to determine dynamic borrowing costs across debt positions.

Operations

1. Rate Queries: External contracts can fetch market rates, benchmark rates, or utilization rates by calling rate getter functions inherited from PriceOracle and RateOracle. Current Oracles:

   1. Price: USDC ChainlinkAdapter, wWTGXX FixedPriceOracle
   2. Rate: USDC AaveAdapter, wWTGXX (none)

Lender

The Lender contract manages borrowing and repayment of whitelisted tokens by Operators (covered agents), calculating interest based on asset utilization rates within vaults. Lender inherits from UUPSUpgradeable, Access, and LenderStorageUtils, which affects upgrades via the proxy.

Operations

1. Borrowing: Agents can borrow assets by calling the borrow() function. Internally, it calls BorrowLogic.borrow with parameters including the agent, asset, amount, receiver, and a maxBorrow flag set to true if the amount is type(uint256).max. The borrowing process includes checks for agent eligibility (whitelisting via AccessControl), Sufficient collateral and delegation to back the borrow, and borrow amount not exceeding the maximum borrowable amount (maxBorrowable), and health factor remaining above the targetHealth after the borrow (among other checks).

2. Repay: Agents can repay borrowed assets by calling the repay() function. Internally, it calls BorrowLogic.repay with the agent, asset, amount, and caller (msg.sender) as parameters.

3. Interest Management: Anyone can realize accrued interest for an asset by calling the realizeInterest() function. Internally, it calls BorrowLogic.realizeInterest, which calculates accrued interest based on utilization rates and adds it to the reserve’s interest receiver.

4. Restaker Interest: Restakers can realize their specific accrued interest by calling the realizeRestakerInterest() function. Internally, it calls BorrowLogic.realizeRestakerInterest, which calculates and transfers the interest earned by a restaker for a specific agent-asset pair.

5. Liquidations:

   1. Opening: Any user can open a liquidation for an unhealthy agent by calling the openLiquidation(agent) function. Internally, it calls LiquidationLogic.openLiquidation, which checks if the agent’s health factor has fallen below the emergencyLiquidationThreshold and records the start time.
   2. Closing: Users can close a liquidation by calling the closeLiquidation(agent) function. Internally, it calls LiquidationLogic.closeLiquidation, which removes the agent from liquidation status.
   3. Liquidation Repayment: Liquidators can repay agent debt and receive collateral by calling the liquidate() function. Internally, it calls LiquidationLogic.liquidate with repayment parameters and a minimum acceptable liquidation value.

6. Asset Management:

   1. Add Asset: Permissioned users can add an asset by calling the addAsset() function. The AddAssetParams struct includes asset address, vault, debt token, decimals, interest receiver, and min borrow amount. Internally, it calls ReserveLogic.addAsset and increments reservesCount.
   2. Remove Asset: Authorized users can remove an asset by calling the removeAsset() function. Internally, it calls ReserveLogic.removeAsset.
   3. Pause/Unpause: Authorized users can pause/unpause an asset by calling the pauseAsset() function.

Access Control

Delegation

The Delegation contract manages slashing, reward distribution, and coverage calculations for restakers providing coverage to borrowers within a symbiotic network middleware architecture. The contract tracks agent-specific parameters, including loan-to-value (LTV) ratios and liquidation thresholds. In the contract context, an Operator is a trusted entity that manages the delegation system that enables agents to borrow.

Operations

1. Agent Management:

   1. Adding Agents: Operators can add new agents by calling the addAgent() function. Internally, it validates that LT does not exceed 100% and is non-zero, and ensures the agent is not a duplicate via agents.add(). The function then stores the agent’s network, LTV, and liquidation threshold
   2. Managing Agents: Operators can modify existing agents via modifyAgent(), which performs the same validation checks and updates the agent’s parameters after verifying existence via agents.contains(_agent).

2. Network Registration: Operators can register new networks by calling registerNetwork(). The function validates that _network is not the zero address, adds the network to the network’s enumerable set via networks.add(), which reverts with DuplicateNetwork if already present.

3. Slashing: Operators can slash an agent by calling slash(). The slashShare is calculated as _amount * 1e18 / networkSlashableCollateral.

4. Reward distribution: Anyone can distribute rewards by calling distributeRewards(). The function retrieves the contract’s balance of _asset via IERC20(_asset).balanceOf(address(this)). If coverage(_agent) returns zero; the entire amount is transferred to feeRecipient.

5. Coverage Query: Users can query an agent’s effective coverage by calling coverage(_agent).

Access Control

Vault Adapter

The VaultAdapter contract calculates dynamic interest rates for assets in external vaults using utilization data and configurable slope parameters. The contract tracks utilization per vault-asset pair, applies a piecewise rate curve around a kink threshold, and adjusts a time-sensitive multiplier.

Operations

1. Interest Rate Calculation: The contract calculates interest rates based on vault utilization by calling the rate() function. Internally, it retrieves stored utilization data, including the last update timestamp and utilization index. Internal function applies the rate logic based on where utilization falls relative to the configured kink point.
2. Modify Slopes: Permissioned users can modify rate curve parameters by calling setSlopes(). This function validates that the kink value is neither zero nor greater than or equal to 100%, then stores the slope0, slope1, and kink values for the specified asset.
3. Modify Limits: Permissioned users can modify global multiplier limits and adjustment speed by calling setLimits(). This function updates the stored maxMultiplier, minMultiplier, and rate values that control how quickly the dynamic multiplier moves toward its bounds.

Access Control

Network Middleware

The SymbioticNetworkMiddleware contract (likewise with the EigenLayer version) manages collateral, slashing, and reward distribution for agents within a Symbiotic-based network. It integrates with Symbiotic vaults to register coverage, slash operators based on oracle prices, and route rewards to staker rewarders.

Operations

1. Vault Registration: Permissioned users register a vault for agents by calling registerVault(). The function checks caller access, verifies that the agent is not already registered, and then calls the internal _verifyVault() function, which validates that the vault exists in the registry and has the correct configuration. Vaults are created by the vaultFactory (CapSymbioticVaultFactory) contract, which deploys new vaults compliant with the Cap system.

   1. When the createVault function is called, the _asset parameter (the collateral address) is passed into the vault’s initialization parameters, along with configurable deposit and slashing parameters.

2. Slashing: Permissioned callers can slash an agent via slash(). The function retrieves the agent’s vault, calculates slashable collateral via slashableCollateralByVault(), then computes the actual slash amount.

3. Reward Distribution: Permissioned callers distribute rewards via distributeRewards().

Access Control

AccessControl

The AccessControl contract provides granular role-based access control for contract functions, enabling access rights for specific functions within specific contracts. The contract inherits from AccessControlEnumerableUpgradeable from OpenZeppelin.

Operations

1. Grant Access: Permssioned users can grant function-level access to a specific contract by calling the grantAccess() function. Internally, it checks that the caller has the grant access role via _checkRole(). It then creates a unique role ID assigned to the specific contract.
2. Revoke Access: Admins can revoke function-level access by calling revokeAccess(). Internally, it checks that the caller has the revoke access role via _checkRole(role(). The contract prevents self-revocation.

Access Control

TimelockController

The TimelockController contract integrates role-based access control and time-locked execution into its modular structure for governance operations. TimelockController inherits from AccessControl, which enables it to enforce a minimum delay on scheduled operations. The current minimum delay set is 24 hours.

Access Control

Roles

L2TokenUpgradeable

The L2TokenUpgradeable contract, which the cUSD and stcUSD MegaETH proxy deployments point to, implements cross-chain token functionality using LayerZero’s OFT (Omnichain Fungible Token) standard, combining ERC20 features for gasless approvals and UUPS upgradeability.

Operations

1. Cross-Chain Send: User calls send(), this function internally calls _debit(), which burns the user’s tokens on the source chain. The function then calls _lzSend() to send a LayerZero message to the destination chain. The LayerZero endpoint delivers the message on the destination chain following verification by the configured DVNs.
2. Cross-Chain Receive: the LayerZero endpoint calls the lzReceive() function, which extracts the recipient address and amount, then calls _credit() and subsequently calls the internal _mint() function.

Access Control

OFTLockboxUpgradeable

The mainnet bridge sits behind an ERC1967Proxy and serves as the LayerZero OFT Adapter lockbox, with the implementation OFTLockboxUpgradeable contract. The mechanism holds the canonical assets on the chain and facilitates cross-chain transfers via a lock-and-release mechanism for the underlying assets. Upgrades flow through the proxyadmin, authorized exclusively by the contract owner.

Operations

1. Cross-chain Send: users can bridge tokens by calling send function from the inheritedOFTAdapterUpgradeable. The adapter locks the underlying token in the lockbox and emits a LayerZero message to the destination chain’s OFT peer, where an equivalent amount is minted or released.
2. Cross-chain Receive: Inbound messages from LayerZero peers are processed via the inherited _lzReceive handler. The lockbox unlocks and transfers the underlying token to the recipient on the home chain upon receipt of a verified cross-chain message.
3. Peer Management: The OApp owner can configure trusted remote peers by calling the inherited setPeer function. This determines which destination-chain contracts are authorized to send and receive messages through this adapter.
4. DVN / Enforced Options Configuration: The OApp owner can set send and receive library configurations and enforced messaging options (e.g., DVN sets, executor, gas limits) via the LayerZero endpoint.
5. Delegate Management: The OApp owner can reassign the delegate (the address authorized to make OApp configuration changes) via the inherited setDelegate() function on the LayerZero endpoint.
6. Upgrade: The owner can upgrade the implementation contract by calling upgradeToAndCall, authorized through _authorizeUpgrade which enforces onlyOwner.

Access Control

Bridge Configuration

Cap Protocol uses LayerZero’s OFT standard with a 3/0 DVN setup. Funds locked on mainnet before being minted on MegaETH. The protocol recently switched to the 3/0 setup comprising LayerZero Labs, Nethermind, and Canary.

The required DVNs:

• 0x282b3386571f7f794450d5789911a9804FA346b4 - LayerZero Labs
• 0x7DEcC6Df3aF9CFc275E25d2f9703eCF7ad800D5D - Canary
• 0xeEdE111103535e473451311e26C3E6660b0F77e1 - Nethermind

This setup can be considered reasonably secure, not relying on a quorum not as prone to exposure. cUSD and stcUSD are only available on Ethereum and MegaETH. At the time of writing 660K stcUSD is currently locked in the mainnet bridge.

Technical Conclusion

Based on our assessment, we believe cUSD and stcUSD do not have significant infrastructure barriers to listing; however, we identified technical implementations that could pose potential security risks to users’ funds on the Aave Protocol. We summarized the risk considerations below.

• Vault: The pauseProtocol() function allows the admin to globally pause all withdrawals (mint, burn, redeem). The Cap Deployer contract retains this privilege; if compromised, this could lock all user funds and freeze the protocol until the Multisig unfreezes it.

Additionally, the MegaETH OFTs were initially owned by the 3/5 multisig, which was able to effect an upgrade without delay. Following engagement with the Cap team, ownership has since been transferred to the TimelockController, which applies a 1-day delay. This security measure enhances the original implementation and aligns with the security framework applied to other critical operations.

Fundamental Analysis Update

Asset Classification

stcUSD remains a yield-bearing stablecoin, comparable to already-onboarded assets such as syrupUSDC/USDT. Thus, staked cUSD complies with an accepted asset classification under AAcA.

Multi-Chain Scope

stcUSD is available on Ethereum, MegaETH, and Tempo via LayerZero OFT. While mainnet and MegaETH represent chains that Aave has deployed on, Tempo has yet to be fully assessed. stcUSD can be bridged interchangeably between these. LZ OApp configurations between chains remain consistent, i.e., DVN sets persist as message senders and receivers.

cUSD and stcUSD on Tempo uses a TempoBridgeUpgradeable contract to bridge between the 2 available routes. The LayerZero OFT adapter bridges the TIP20 Tempo standard (ERC20 equivalent) of the Cap token between Tempo and the EVM chains, using the same mint/burn pattern. The bridge employs an ownable pattern, with the following operations.

1. Cross-chain Send: Caller approves the bridge, then calls send. Bridge pulls tokens via transferFrom, burns them, and emits a LayerZero message to the destination peer to mint an equivalent amount.
2. Cross-chain Receive: Inbound LZ messages are processed via _lzReceive. Bridge calls mint on the TIP-20 to credit the recipient directly.
3. Peer Management: Owner calls setPeer to configure trusted remote contracts. Governs which destination-chain addresses may send and receive messages through this bridge.
4. DVN / Enforced Options Configuration: Owner sets send/receive library configs and enforced messaging options (DVN sets, executor, gas limits) via the LayerZero endpoint.
5. Delegate Management: The owner can call setDelegate to reassign the address authorized to make OApp configuration changes.
6. Upgrade: Owner can call upgradeToAndCall.

Access Control

While the Tempo chain has not been analyzed previously, the bridging mechanism follows established LZ mechanisms. Access controls on the bridge follow the same Timelock-controlled permissions access.

Asset Backing Structure and Visibility

Cap idle reserves are currently held in Morpho vaults, which represent ~34% of total reserves. The Cap team indicated that this setup is being changed, with idle reserves being moved to TBill products via partners such as Ondo.

Additionally, collateral assets, which consist of Aave (wstETH and weETH) and non-Aave onboarded assets (uniBTC and solvBTC), will evolve to enable RWAs as eligible collateral.

Source: Assets in Reserve, Cap Protocol, June 12th, 2026

Underlying assets are predominantly held in USDC (>93%) with the remaining held in WTGXX. This remains consistent with our initial analysis. At present, exit liquidity remains accessible from lending protocols.

Operators

Currently, there are 30 whitelisted borrowers, of whom 15 are active and have borrowed $42.3M. Their health scores over 120%. This represents an increase since our initial analysis, which saw $16.88M lent to 6 operators.

Source: Operator Loans, Cap Protocol, June 12th, 2026

Relative to our initial observation, the LTV/LT Ratio map indicates that loans have improved their overall scores, with fewer borrowers near the liquidation threshold. The team indicated that a more in-depth dashboard was being developed with greater visibility on parameters and operator loan health.

The protocol supports per-vault exposure limits, allowing collateral concentration risk to be managed at the individual asset or underwriter level. Coverage caps are already active for several underwriters, with the team indicating that the framework is applicable across the collateral base when required.

Restakers

Underwriters (i.e., Delegators) to loans have increased from 17 to 22, with the combined delegation growing to $213.52M from $74.05M.

Permitted collateral assets and parameters are determined by the Cap team. The current Loan to Value parameters:

• 50-60% LTV limits on volatile assets
• 80% LTV on stable assets

The current Liquidation Threshold parameters:

• 80% LT for volatile assets
• 85% LT on Stable assets
• 90% Emergency LT for all assets

At the vault level, per-asset liquidation thresholds are configured at deployment and are not intended to be adjusted, providing borrowers with predictable collateralization requirements and, upon breach, a 12-hour grace period during which they may repay outstanding debt before liquidation is triggered. The emergency 90% LT, which bypasses the grace period, functions as a circuit breaker, waiving the standard grace window due to protocol solvency risk.

The emergency liquidation bonus is dynamically capped at (collateral - debt) / debt. The bonus compresses as the collateral buffer narrows, ensuring that liquidations don’t payout more than the liquidatable collateral, thereby pushing a position into bad debt. For example, at 91% LTV, the bonus ceiling is ~9%, and at 95% LTV, it falls to ~5%.

Slashing on Symbiotic

Within Symbiotic’s Shared Security Network, Cap Protocol operates as a network, permitted to slash Operators whose assets are restaked to them. Networks define their own methods for penalizing Operators within the overall slashing framework, with the liquidations/slashing framework consisting of 4 primary contracts: Delegation, Vault, Network Middleware, and Burner Router. The slashing process on Symbiotic mirrors the liquidation process defined by the Cap protocol, and follows the following process:

1. The Network Middleware contract sends a slashing request to a penalized vault
2. The vault’s Slasher module checks if the request is valid,
3. 1. Reads stake data from the Delegator and its own internal data (previous slashes).
   2. Guarantees that the collateral snapshot will remain slashable for one vault epoch after that timestamp (otherwise, it is considered stale and rejected).
   3. Checks that the amount constraint is within a slashable amount < remaining collateral.
   4. If valid, the vault updates its internal data and the Delegation contract
4. Slasher calls The Vault’s Burner module to process the penalized collateral.

Within this framework, networks choose which slashing configuration to implement for their model and which penalties enact slashing (e.g., redistributing stake, burning tokens, routing stake to a contract).

Cap Protocol Slashing Configuration

The configurations implemented by Cap Protocol for delegations and liquidations (Symbiotic Slashing) are summarized as follows:

Vaults

• Symbiotic Vaults are isolated per borrower. Immutability is enforced by OperatorNetworkSpecificDelegator.
• Each borrower position is isolated to a single underwriter and collateral asset. When a vault is created, a new operator and vault instance are created (borrower position).
• Vaults implement an INSTANT slashing type, meaning the Slasher module is validated and executed in a single step (no dispute window).

Liquidations

• Liquidations are callable by anyone from the Lender contract via the liquidate function after the openLiquidation window, which invokes IDelegation.slash to begin slashing the target vault.
• Liquidators repay up to maxLiquidatable of the Operator’s debt. The liquidation bonus implements a dynamic liquidation bonus system, with the bonus rising linearly until the 10% bonusCap during an auction window.
• The LB does not differ per asset, and under emergency liquidations, the 10% maximum applies immediately (when LTV exceeds the emergency LT).
• The vault reduces the operator’s effective stake and forwards the penalized collateral to a Burner. Assets are seized and transferred through the BurnerRouter.
• BurnerRoute transfers assets upon a valid liquidation. Transfers route to the Network Middleware contract for all Cap protocol vaults.
• The Middleware contract transfers the funds to the liquidator’s _recipient address set when liquidate was called. Liquidators are compensated for the USDC repaid + applicable liquidation bonus.
• If the health score of the borrower recovers to ≥ 1e27 (>100%) after the liquidation, the window closes. (Liquidations are only partial, up to a +25% health target recovery)

The protocol operates a layered liquidation infrastructure alongside its permissionless mechanism. The Cap team indicated that formalized liquidation agreements for specific collateral types are under negotiation with market makers. As a further backstop, the protocol operates a proprietary liquidation keeper capable of executing both atomic and non-atomic liquidations that require temporary treasury capital deployment. This multicontingent approach reduces reliance on permissionless liquidator participation during periods of market stress.

Historical Symbiotic Slashes

To date, there have been only 2 slash events on Symbiotic, all performed on Cap Protocol Vaults. Given the Operator, the slash amount, the Middleware address, and timing, these events were likely internal initial tests performed by the Cap protocol. Therefore, it is difficult to determine how effectively historic liquidations have been performed from the small dataset.

Token Holder Concentration

As of June 12th, 2026, cUSD has 478 holders and a total onchain supply of 209.9K. The largest 3 holders:

• EOA 1: 45.26%
• EOA 2: 11.56%
• EOA 3: 11.08%

stcUSD currently has 197 holders and a total supply of 1.07M tokens onchain. Liquidity is concentrated with 3 holders:

• EOA 1: 74.14%
• stcUSD/USDm Kumbaya: 19.69%
• EOA 2: 1.29%

Liquidity

stcUSD and cUSD liquidity remains low on MegaETH. The Cap protocol team has committed $2M to stcUSD liquidity on the Kumbaya DEX.

Source: cUSD/USDm Fly, June 12th, 2026

Source: stcUSD/USDm Kumbaya, June 12th, 2026

Source: cUSD Liquidity Pools on MegaETH, GeckoTerminal, June 12th, 2026

Source: stcUSD Liquidity Pools on MegaETH, GeckoTerminal, June 12th, 2026

Volatility

The cUSD/USDM pool lacks sufficient liquidity, creating frequent volatility around the intended $1 peg. The maximum and minimum price deviations observed were 1.03 and 0.97, respectively.

Source: cUSD/USDM pair, Dune, June 12th, 2026

Given the more recent Kumbaya pool deployment for stcUSD, market volatility data is limited. The sole pool of meaningful liquidity was launched on April 28th, 2026, making a relative comparison to the internal exchange rate impractical at this stage.

Source: stcUSD/USDM pair, GeckoTerminal, June 12th, 2026

Multisig Threshold / Signer identity

Signers are Cap Protocol members.

Aave V3 Specific Parameters

stcUSD Stablecoin E-Mode

Price Feed Recommendation

We recommend pricing stcUSD on MegaETH using the Chainlink stcUSD/cUSD exchange rate feed in conjunction with a base USDC/USD price feed and CAPO adapter. Both price feeds use a 0.5% deviation threshold and a 24-hour heartbeat.

While a cUSD/USD Chainlink price feed exists, the feed is an internal exchange rate feed, with the base feed necessitating a market price reference with the exchange-rate component for accurate price reporting for Aave. Given that >93% of cUSD is backed by USDC, we recommend this setup until the appropriate market rate feed is deployed.

CAPO Configuration.

The effective yield of stcUSD varies over time based on the selection of Operators, their approved strategies, and the idle liquidity deployed to DeFi protocols that earn passive yields. stcUSD yield has demonstrated minimal volatility over the past three months.

Source: stcUSD APY, Dune, June 12th, 2026

We recommend setting MINIMUM_SNAPSHOT_DELAY to 14 days and maxYearlyRatioGrowthPercent to 10.5%. This would help smooth short-term volatility, given the asset’s relatively recent deployment, thereby ensuring consistent pricing.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

[Asset Technical Assessment] stcUSD on Aave V3 MegaETH

Author: Aave Labs

Date: 2026-06-18

---

Summary

Technical assessment of stcUSD (Staked Cap USD) for onboarding to Aave V3 MegaETH, following the Technical Asset Listing Framework.

Overall result: MEDIUM

stcUSD on MegaETH is an operationally clean LayerZero OFT (Omnichain Fungible Token) that wraps the Ethereum ERC-4626 vault, with no externally owned account (EOA) in any gating role, a 3-of-3 independent verifier set on the bridge, an over-collateralised escrow, and an extensive recent third-party audit history that includes a dedicated review of the bridge layer.

Listing Recommendation

From a technical standpoint, stcUSD on Aave V3 MegaETH is eligible for listing. The LayerZero bridge currently has no rate limits configured. Aave Labs recommends that the issuer implement bridge rate limits as soon as practical. This is not a blocker for an initial listing, but it should be revisited as exposure to the asset grows.

Asset under review

stcUSD is the yield-bearing wrapper of Cap’s cUSD stablecoin: yield is generated on Ethereum by lending the underlying assets to a set of borrowers (operators), whose positions are backed by restaked collateral that absorbs any operator losses before they can reach stcUSD holders. On MegaETH, stcUSD is a LayerZero OFT that mirrors a fraction of the Ethereum supply: it holds no exchange-rate state of its own and can be minted only by a verified LayerZero message.

0. Pre-screening

On MegaETH, stcUSD is deployed as an upgradeable OFT contract. The asset is not in any non-approved or sanctioned category, and stcUSD is not currently listed on any other Aave deployment. Circulating supply on MegaETH is small, approximately 35,249 stcUSD (about $37.6k), because the large majority of stcUSD supply remains on the Ethereum issuance vault (approximately $71.6M).

Rating: MEDIUM → first such listing for Aave (a bridged OFT over an ERC-4626 vault), with supply on MegaETH tiny relative to the Ethereum vault.

1. ERC20 Compliance

The MegaETH token is a minimal LayerZero OFT with ERC20PermitUpgradeable and UUPSUpgradeable, 18 decimals, non existent fee on transfer, no rebasing, no ERC777 or ERC1363 hooks, no flash mint, and no transfer restrictions or whitelist.

Rating: GOOD

2. Oracle

Both Chainlink price feeds are live on MegaETH: a cUSD/USD feed at 8 decimals and a stcUSD/cUSD feed at 18 decimals, both standard Chainlink feed contracts with public read access. A composite stcUSD/USD price is derivable from the two feeds.

Rating: GOOD

3. Access Control

No EOA holds a gating role on the MegaETH listing path. The authority to upgrade the MegaETH OFT is held by the Cap MegaETH Timelock (an OpenZeppelin TimelockController with a 24h delay and a 3-of-5 Safe as proposer), while control of the LayerZero configuration (peers, verifiers, libraries) sits directly with the Cap Developer Safe (3-of-5, effective immediately, by design for incident response). The Ethereum-side adapter is owned by its own 24h Timelock.

On MegaETH, tokens can be minted only when a verified LayerZero message arrives, and burned only from the holder’s own balance when they bridge out (LayerZero burns directly from the sender’s wallet, with no prior transfer to a separate bridge contract); there is no pause, no blacklist, and no token-level mechanism for the issuer to block Aave liquidations. The only EOA with any privilege is a non-elevating executor on the Ethereum Timelock, which can trigger operations that are already queued and past their delay but cannot act on its own.

Rating: MEDIUM → upgrade path is multisig +24h Timelock (Level 3); lower duration that the preferred for Good (>=48h).

4. Exchange Rate and Yield

The exchange rate exists only on the Ethereum ERC-4626 vault and is exposed through standard ERC-4626 methods (for example convertToAssets, currently about 1.0664 cUSD per share). The rate is simply the ratio between the vault’s cUSD assets and its stcUSD shares, so it is share-based and cannot be manipulated by flash loans; any operator losses are first absorbed by Symbiotic and EigenLayer restaked collateral, with an unbonding period of 8 to 14 days before a loss could reach stcUSD holders. Redemption happens only on Ethereum, where the vault returns cUSD via redeem or withdraw, so a liquidator on MegaETH must either sell on a local DEX or bridge the tokens back to Ethereum.

Rating: GOOD

5. Token Architecture

Supply is controlled by the issuer at the Ethereum vault and reaches MegaETH only through a single bridge (LayerZero), via verified cross-chain messages. Every mint and burn is observable on-chain through standard token transfer events (to and from the zero address) alongside the matching LayerZero events. The token logic contains no raw delegatecall (only the standard ERC-1967 proxy delegation), no tx.origin patterns, no duplicate or legacy entry points to the same supply on MegaETH, and no transfer restrictions or hooks. The same vanity address 0x88887bE419578051FF9F4eb6C858A951921D8888 is used on both Ethereum and MegaETH, but it is a different contract on each chain: the ERC-4626 vault and escrow on Ethereum, and the OFT token on MegaETH. The two are linked only by the bridge accounting described in Section 6, where the supply locked on Ethereum backs the supply minted on MegaETH.

Rating: MEDIUM → stcUSD cannot be redeemed on MegaETH (redemption requires bridging back to the Ethereum vault first), so liquidators on MegaETH depend on local DEX liquidity, which is currently unverified, or on the slower path back to Ethereum.

6. Bridge and Cross-Chain Risk

stcUSD moves across chains on LayerZero V2 only. Ethereum holds the canonical supply: when tokens are bridged out they are locked in an escrow (lockbox) contract on Ethereum and minted on MegaETH, then burned on MegaETH and unlocked on Ethereum when bridged back. The network also includes Tempo, which runs a second lock-and-release adapter, with a direct route between MegaETH and Tempo and every route configured symmetrically in both directions. Every route is set to wait 15 block confirmations before a message is accepted (the number of blocks that must be mined to guard against chain reorganisations) and requires a 3-of-3 verifier set: three independent DVNs (Decentralized Verifier Networks, the parties that must all attest to a cross-chain message), operated by LayerZero Labs, Canary, and Nethermind, none of them run by Cap. The send and receive libraries are pinned to LayerZero’s canonical versions. The escrow locked on Ethereum (59,114.12 stcUSD) over-collateralises the total supply bridged out to the other chains (59,100.06 stcUSD).

Rating: MEDIUM → robust verifier set and over-collateralised escrow, but no rate limits are configured on the bridge contracts and the LayerZero configuration can be changed immediately, with no timelock, by the Cap owned 3-of-5 Safe.

7. Audit and Security History

The Cap protocol has an extensive audit history covering nine independent reviews (Zellic, Trail of Bits, Spearbit ×2, Recon, Sherlock audit contest with $126k pool, Certora on the restaker layer, Octane), plus a dedicated Electisec review of the LayerZero bridge layer (OFTLockbox and L2Token) directly relevant to Section 6. A $1M Sherlock bug bounty is in place and no past exploits are on record.

Rating: GOOD

8. Dependencies

Primary dependencies are LayerZero V2 (endpoints, libraries, 3-of-3 verifier set), the Ethereum stcUSD ERC-4626 vault, the underlying cUSD stablecoin, and Symbiotic and EigenLayer restaked collateral that absorbs operator losses first. All audited and in production; no dependency administered by an EOA sits in the listing path.

Rating: MEDIUM → the asset relies on several independent technologies (a cross-chain bridge plus two external protocols, Symbiotic and EigenLayer, underpinning backing and redemptions), which broadens the aggregate code attack surface and the number of systems that must hold for stcUSD to remain sound.

9. Summary

Findings table

Disclaimer

Aave Labs has no formal or informal affiliation with Cap or the stcUSD issuer beyond this technical assessment. Aave Labs has not been compensated by Cap or any related party in connection with this work.

Copyright

Copyright and related rights waived via CC0.

I support this proposal.

The onboarding of stcUSD appears to be a measured and low-risk expansion of the Aave V3 MegaETH market. The proposed configuration is intentionally conservative, with a relatively modest supply cap, stablecoin-focused E-Mode parameters, and no direct borrow functionality.

Yield-bearing stablecoins can be valuable additions to lending markets because they create opportunities for leveraged yield strategies while increasing demand for borrowing stable assets. This can improve capital efficiency and contribute to deeper liquidity within the ecosystem.

At the same time, stcUSD is still a relatively young asset compared to more established yield-bearing stablecoins. For that reason, I appreciate the cautious parameterization and believe ongoing monitoring of liquidity, adoption, peg stability, and protocol performance will be important before considering any future expansion of limits.

Overall, the proposal strikes a reasonable balance between supporting ecosystem growth and maintaining prudent risk management.

Shouldn’t the technical asset listing framework itself pass the ARFC stage before using it as truth for onboarding new assets? Seems a bit backwards