How Does Sherlock Work?

DeFi|Risk C+|6 mechanisms|5 interactions

A DeFi insurance protocol that audits smart contracts and then insures them against hacks, with $60M in its claims pool. You can deposit USDC to back those insurance policies and earn yield from premiums. Its B- grade reflects a fundamental tension: if Sherlock's audits miss bugs, it also has to pay for the losses.

TVL

$506,000

Sector

DeFi

Risk Grade

C+

Value Grade

D+

Core Mechanisms

Risk-Transfer/Insurance

Novel

Hybrid audit + insurance model: only provides coverage to protocols that undergo Sherlock audit contests, aligning incentives through skin-in-the-game

Sherlock's core innovation is bundling audit services with insurance coverage. Protocols pay 2% annual premium on TVL (up to $10M covered) and must first pass a Sherlock audit contest. This creates skin-in-the-game: Sherlock bears financial risk of its own audit quality. Novel model in DeFi insurance but creates correlated risk.

7.2.1

Public audit contests: incentivizes security researchers to find vulnerabilities in protocol code before mainnet launch, with bounties paid by audited protocol

Sherlock runs time-bound (2-4 week) audit contests where security researchers compete to find bugs. Similar to Code4rena and Immunefi contest models.

3.2.1

USDC staking pool: stakers deposit USDC to underwrite protocol coverage, earning yield from protocol premiums plus SHER token incentives

Stakers provide insurance reserves by depositing USDC. Standard staking pool pattern.

5.1.1

SHER governance token: controls coverage terms, staking pool parameters, and audit contest judging criteria

Standard governance token model with token-weighted voting.

Risk-Assessment/Coverage-Caps

Novel

Tiered coverage caps: protocols can purchase up to $10M in coverage, with premium based on TVL

Sherlock's coverage model uses fixed caps rather than proportional coverage. Novel approach compared to traditional insurance but creates adverse selection risk.

Claims-Resolution/Governance

Novel

SHER token holder claims adjudication: governance votes determine whether exploit events qualify for coverage payouts

Claims are not automatically paid. SHER governance must vote to approve each claim. Novel in crypto insurance.

How the Pieces Interact

Under-collateralized staking poolCorrelated exploit risk across audited protocolsHigh

Sherlock audits may share systematic blind spots. If multiple audited protocols are exploited via the same missed vulnerability class, simultaneous payout obligations can exceed staking pool reserves, forcing staker principal slashing or coverage default.

Skin-in-the-game audit + coverage bundleAudit contest time/budget constraintsHigh

Public contests have fixed time windows (2-4 weeks) and capped budgets. Complex protocols may require deeper analysis than contest format allows. Sherlock's insurance coverage creates false sense of security if audit contests are structurally inadequate for finding sophisticated vulnerabilities.

Fixed $10M coverage capsLarge protocol TVL exposureMedium

Protocols with $500M+ TVL paying 2% premium receive only $10M coverage (2% of TVL). Creates perverse incentive and adverse selection.

SHER governance claims approvalGovernance token concentration riskMedium

Concentrated SHER holders can vote to deny legitimate claims to protect staking pool reserves.

USDC staking pool bank run dynamicsPublic exploit announcement timingMedium

When a covered protocol is exploited, stakers have a window to exit before governance claims approval.

What Could Go Wrong

  1. Under-collateralized insurance model: staking pool reserves ($60M) can be overwhelmed by correlated exploit events across multiple covered protocols, forcing staker principal slashing
  2. Skin-in-the-game model creates perverse incentives: Sherlock only covers protocols it audits, so systematic audit methodology failures cascade to insurance solvency
  3. Coverage caps ($10M per protocol) are inadequate for large DeFi protocols, creating moral hazard where Sherlock insures 5% of risk but collects 2% premium on 100% of TVL

Catastrophic Payout Event Drains Staking Pool

Moderate

Trigger: Multiple audited protocols covered by Sherlock suffer simultaneous exploits (correlated vulnerability across similar codebases), triggering insurance payouts that exceed staked USDC reserves

  1. 1.Three protocols audited by Sherlock are exploited via same zero-day vulnerability, causing $30M+ in combined losses Simultaneous payout obligations exceed the $60M USDC staking pool reserve
  2. 2.Sherlock's under-collateralization becomes public USDC stakers rush to exit before losses are socialized, creating bank run dynamics
  3. 3.Governance votes to slash staker deposits by 40% or defaults on coverage claims Either outcome destroys Sherlock's value proposition
  4. 4.Protocols cancel or do not renew coverage contracts Revenue model collapses as protocols lose faith in coverage reliability
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty8/15
Interaction Severity10/20
Oracle Surface0/10
Documentation Gaps3/10
Track Record5/15
Scale Exposure3/10
Regulatory Risk3/10
Vitality Risk5/10
C+

Overall: C+ (37/100)

Lower score = safer

More on Sherlock

Is Sherlock Safe?

Safety analysis

Is Sherlock a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related DeFi Explainers

How Does Truebit Work?DHow Does Flying Tulip Work?C-How Does Arkis Work?C-How Does Virtuals Protocol Work?CHow Does Makina Work?C