Sherlock is an audit marketplace and smart contract coverage protocol built on Ethereum. The platform works to protect DeFi users from exploits with security reviews from top auditors backed by smart contract coverage.

Risk Rating
Watch Out
Protocol Code Quality
Protocol Maturity
Protocol Design
What we like
Sherlock is a novel decentralized solution to smart contract audits with properly aligned incentives as there is actual money at risk.
What we like less
Smart contract coverage is not fully collateralized, meaning the value staked into Sherlock's staking pool is designed to be less than the total funds that Sherlock is covering.
What it means for you
Offers you a great way to earn a high yield on USD by providing insurance coverage for smart contract audits.
  • Website
  • Token: SHER
  • Tags: Insurance
Key Metrics
  • TVL: $1.5M (Rank #186)
  • TVL Ranking by Insurance: #2
  • Blockchain: Ethereum
  • Chain TVL
    • Ethereum: $1.45M
Risk Assessment
Watch Out
Protocol Code Quality
  • Code reviewed by several experienced auditors including Trail of Bits and code4rena
  • Public team promotes accountability
  • No documented protocol hacks since launch
Protocol Maturity
  • Core protocol launched in 2021; maturity over one year minimizes technical risk as smart contracts are well battle-tested
  • Top 20% by total value locked slightly reduces risk
  • Multisig wallet controls protocol upgrades
  • Multisig consists of at least 4 signers, which means the protocol is less susceptible to centralization risks
  • Timelock is less than 48hrs, which provides users with less time to exit if any malicious upgrades are approved
  • Low voting power concentration reduces risk
Protocol Design
  • Protocol is highly susceptible to death spirals
  • This protocol is susceptible to risks related to insurance platforms where your principal is always at risk in case of a system deficit
Things to know about Sherlock

How Sherlock works

Sherlock is a novel audit marketplace built on Ethereum. The platform works to better protect DeFi users from smart contract exploits through a better-aligned incentive structure. There are three main users in the Sherlock ecosystem: protocols, stakers, and Watsons. Protocols come to Sherlock seeking audits from top independent security experts. Sherlock offers smart contract coverage on any contract that is reviewed as part of an audit. Coverage applies to both white-hat bounties and black-hat exploits. While coverage is optional, adding it allows the protocol to know that Sherlock has skin in the game. This means if Sherlock completes an audit and there ends up being a critical bug, Sherlock will make an insurance payout to repay the amount of the exploit up to the coverage limit. A claims process determines whether or not an exploit falls under coverage and should be paid out. Stakers are users who provide insurance on smart contract coverage. These users deposit USDC into the staking pool in return for a high USD yield. The yield is generated from three sources: premiums paid by protocols, interest earned from depositing staker funds into external yield strategies (Aave, Compound), and protocol incentives (paid in SHER governance token). In exchange for earning this yield, the staker's funds are at risk of being slashed by up to 50% if a significant exploit occurs on an audited contract covered by Sherlock. Lastly, Watsons are the platform's security experts that perform the actual audits of each protocol's contracts and provide inputs on the risk. Watsons can be an entire audit team or an independent security expert.

How is Sherlock different from traditional audit firms?

Traditional audit firms today mostly rely on their reputation to convince protocols to leverage their services. Judging by the vast amount of DeFi exploits/hacks across both small and large audit firms, this has been a poor way to align incentives. By having the audit firm effectively stake their own money, they are much better incentivized to provide a better audit as their own money is at risk. Claims decisions are made by either Sherlock's claims committee or an unbiased third party. Sherlock has partnered with UMA to offer an unbiased claims process handled by objective, third-party voters who have economic guarantees around their incentives. Watsons are paid from a prize pool and incentivized to outperform their peers as the top 10% are promoted to Senior Watsons. Senior Watsons have the opportunity to signal their interest in being selected as the Lead Senior Watson in an upcoming audit contest. At the end of each audit, Sherlock's team will go through and de-duplicate issues as well as judge every issue. The team is exclusively focused on high and medium-severity findings as these types of vulnerabilities most likely result in the loss of user funds.

How does staking work?

Users can stake USDC for a fixed period term of 6 or 12 months. This yield is partially fixed and partially variable. The amount of SHER token incentives is known at the time of staking and is fixed for the staking duration. Other yield strategies deployed such as depositing in Aave may be fixed or floating. The premium received by stakers is also variable depending on how many protocols elect to receive coverage. In the event a covered smart contract is exploited during the fixed term, the staker's funds can be slashed up to 50%. There are three stages of an exploit: rumor, claim submission, and payout. Only stakers who are still locked up during the third phase are subject to being slashed. Anyone who unstakes before the actual payout will not have to pay out the exploit.

Sherlock Pools
Sherlock USD Staking