Sherlock is an audit marketplace and smart contract coverage protocol built on Ethereum. The platform works to protect DeFi users from exploits with security reviews from top auditors backed by smart contract coverage.
Sherlock is a novel audit marketplace built on Ethereum. The platform works to better protect DeFi users from smart contract exploits through a better-aligned incentive structure. There are three main users in the Sherlock ecosystem: protocols, stakers, and Watsons. Protocols come to Sherlock seeking audits from top independent security experts. Sherlock offers smart contract coverage on any contract that is reviewed as part of an audit. Coverage applies to both white-hat bounties and black-hat exploits. While coverage is optional, adding it allows the protocol to know that Sherlock has skin in the game. This means if Sherlock completes an audit and there ends up being a critical bug, Sherlock will make an insurance payout to repay the amount of the exploit up to the coverage limit. A claims process determines whether or not an exploit falls under coverage and should be paid out. Stakers are users who provide insurance on smart contract coverage. These users deposit USDC into the staking pool in return for a high USD yield. The yield is generated from three sources: premiums paid by protocols, interest earned from depositing staker funds into external yield strategies (Aave, Compound), and protocol incentives (paid in SHER governance token). In exchange for earning this yield, the staker's funds are at risk of being slashed by up to 50% if a significant exploit occurs on an audited contract covered by Sherlock. Lastly, Watsons are the platform's security experts that perform the actual audits of each protocol's contracts and provide inputs on the risk. Watsons can be an entire audit team or an independent security expert.
Traditional audit firms today mostly rely on their reputation to convince protocols to leverage their services. Judging by the vast amount of DeFi exploits/hacks across both small and large audit firms, this has been a poor way to align incentives. By having the audit firm effectively stake their own money, they are much better incentivized to provide a better audit as their own money is at risk. Claims decisions are made by either Sherlock's claims committee or an unbiased third party. Sherlock has partnered with UMA to offer an unbiased claims process handled by objective, third-party voters who have economic guarantees around their incentives. Watsons are paid from a prize pool and incentivized to outperform their peers as the top 10% are promoted to Senior Watsons. Senior Watsons have the opportunity to signal their interest in being selected as the Lead Senior Watson in an upcoming audit contest. At the end of each audit, Sherlock's team will go through and de-duplicate issues as well as judge every issue. The team is exclusively focused on high and medium-severity findings as these types of vulnerabilities most likely result in the loss of user funds.
Users can stake USDC for a fixed period term of 6 or 12 months. This yield is partially fixed and partially variable. The amount of SHER token incentives is known at the time of staking and is fixed for the staking duration. Other yield strategies deployed such as depositing in Aave may be fixed or floating. The premium received by stakers is also variable depending on how many protocols elect to receive coverage. In the event a covered smart contract is exploited during the fixed term, the staker's funds can be slashed up to 50%. There are three stages of an exploit: rumor, claim submission, and payout. Only stakers who are still locked up during the third phase are subject to being slashed. Anyone who unstakes before the actual payout will not have to pay out the exploit.