TL;DR

Sherlock is a new type of security solution for protocol teams.

Sherlock provides teams with all the tools they need to securely launch decentralized apps:

• Audits from leading security firms and independent security experts
• Bug bounty paid for by Sherlock
• Smart contract coverage for on-chain exploits

With these tools, protocol teams are set up for success and can get back to building. Even further, the users of those protocols can sleep easier knowing there is recourse even if a bug slips through the protocol’s strict security practices.

The Mission

The Sherlock team thinks Web3/crypto/DeFi will be one of the greatest positive influences on the world in the 21st century. DeFi has the ability to give anyone with an internet connection access to cutting edge financial tools and currencies. NFTs and Web3 gaming democratize access to wealth for artists and gamers. And soon, Web3 social media will ensure everyone has a voice.

There are 3 big problems that prevent this vision from becoming reality:

• Scalability (gas prices too high, transactions too slow)
• User Experience (wallets, ramps, and custody is hard)
• Security (exploits and insecure code)

The Sherlock team thinks the “Security” category has garnered the least attention and little has changed in the last 5 years. It is time for a new approach.

Sherlock’s mission is to make crypto safe for everyone.

This means starting with users. Sherlock is designed with end users in mind. The Sherlock team believes that users shouldn’t have to deal with security considerations (like smart contract coverage) at all.

This is why Sherlock takes a protocol-to-protocol approach. The best way to protect users is to make it as easy as possible for protocol teams to use industry-leading security practices and provide recourse for exploits.

What’s the Problem?

Exploits in crypto are causing billions of dollars per year in damages.

• Users don’t know how to differentiate well-secured protocols from poorly-secured ones. Worse, even well-secured protocols get hacked sometimes.
• Protocol teams don’t know where the bar for security is. Is one audit enough? What about an audit plus peer reviews? Do they need a bug bounty? Is formal verification the same as an audit? What if they want to make small changes to deployed code?
• Security firms don’t feel the same pain of exploits as protocol teams: there is no recourse if an audited protocol gets hacked.

Sherlock’s Approach

• Sherlock DOES provide recourse for exploits, meaning Sherlock and actors within the Sherlock protocol are highly incentivized to keep covered protocols safe.
• Sherlock sets the security bar for protocols, and protocol teams can respect the bar because Sherlock’s interests are aligned with theirs. Teams can decide whether to clear the bar and work with Sherlock, or not.
• Users come to see Sherlock as the ultimate stamp of approval. They feel more comfortable using Sherlock-covered protocols because they know a high bar has been cleared for security, and there is a high probability of recourse in the event of an exploit.

How Does It Work?

There are 3 parties in the Sherlock ecosystem:

• Protocols who want coverage
• Security experts who review protocol code
• Stakers who provide capital for recourse

Sherlock helps protocols who want coverage by connecting them with external audit firms as well as through Sherlock’s own “red team” security review process, conducted by the Watsons (Sherlock’s whitelisted security reviewers). The Watsons do a fundamental security assessment of each prospective protocol and provide input to the pricing of coverage.

This process has a dual purpose:

• Helping the protocol to secure its codebase
• Helping Sherlock understand and price the risk of the codebase

If an exploit occurs on a covered protocol’s codebase, capital provided by stakers is used to repay the bug bounty or exploit (up to the agreed-upon coverage amount).

In the meantime, stakers receive APY from 3 sources:

• Sherlock-approved strategies (e.g. depositing USDC into Aave)
• Premiums paid by protocols (based on Sherlock’s security assessment)
• SHER token incentives

Detailed info on the design and mechanisms can be found in the docs.

How Does a Protocol Get Repaid for an Exploit?

When the worst case happens, how does a protocol trust that Sherlock will repay the lost funds?

Good news, it doesn’t have to.

Sherlock’s V2 claims process is completely trustless.

A protocol can submit a claim at any time, and if either of two “committees” decide the exploit falls within the terms of the coverage agreement (example agreement here), the funds are automatically transferred to the protocol’s chosen address. No trust in Sherlock is required.

The two committees are:

• The SPCC -- this committee is made up of well-known security experts in the space. The strengths of this committee are its speed and expertise, but its potential weakness is that many of these experts have affiliations with Sherlock.
• The UMA Optimistic Oracle -- because SPCC members may be affiliated with Sherlock, a protocol can also submit its claim to the UMA Optimistic Oracle. The strengths of this committee are its numbers (thousands of UMA tokenholders) and lack of affiliation to Sherlock. However, this committee may take more time and start with less expertise around security issues.

While not a panacea, a protocol team should feel good about at least one of these committees making the correct choice when it counts.

Future Features

• Sherlock is making progress on parametric (code-based) payouts and is optimistic that a subset of protocols can benefit from this approach. More info to come on this. 
• Aave’s USDC deposit strategy will be the only active strategy for staked funds for the next few months. One of the keys to growing the staking pool into the billions will be taking an active approach to generating more yield through a diversified set of strategies.
• Sherlock may eventually allow stakers to receive protocol premiums in the form of each protocol’s governance tokens, turning Sherlock into a differentiated VC pipeline.

Sherlock Security Practices

Unfortunately, Sherlock can’t use its own staking pool to stay secure.

Because of this, Sherlock’s V2 codebase is one of the smallest and simplest codebases in DeFi. We let our customers have the fun, while Sherlock itself stays extremely conservative in terms of development:

• No oracles
• No assembly code
• No proxy patterns
• Codebase only on Ethereum L1
• $500k bug bounty (will at least double in a few weeks)

In terms of audits, we’ve tried to get the largest number of skilled auditors to look at the V2 codebase:

• Trail of Bits audit in December 2021
• Secureum security review with 24 Secureum participants in December 2021
• Code Arena audit with 15 independent auditors in February 2021

Customers

We’ve publicly announced coverage with Euler (lead investor: Paradigm), Opyn (lead investor: Paradigm), Primitive (lead investor: Framework), Teller (lead investor: Framework) and new coverage starting on Feb 15th with Tempus (lead investor: Lemniscap). Look out for more announcements in the coming weeks. The demand for coverage has been strong and we’ve been struggling to keep up.

We have also had to turn down the vast majority of protocols that approach us for coverage because of the high bar we set around security practices. This should be a temporary phenomenon as many of those protocols are now working to clear the bar and Sherlock is working on a few tools that can help new protocols understand and clear the bar more easily.

Team

The Sherlock team is strong and growing. The founders of Sherlock marry years of experience investing in banks and insurance companies at Citadel with years of experience writing Solidity contracts on Ethereum (since 2018) and working in cybersecurity.

The rest of the core team has relevant experience such as investing in cybersecurity at Mark Asset Management, years of Silicon Valley engineering experience and nearly everyone has been an entrepreneur at some point.

We believe the collective background of the team is the right one to create a new archetype of smart contract security in crypto.

Support

Sherlock is lucky to have the support of some of the most talented angels, VCs and advisors in crypto:

• Angels: Kain Warwick, Ric Burton, Mariano Conti, Hart Lambur, and many others
• VCs: Dragonfly Capital, GSR, IDEO CoLab Ventures, A Capital, Scalar Capital, Lattice Capital, Maven 11, CoinFund, LedgerPrime, DeFi Alliance
• Advisors: John Mardlin, Rajeev Gopalakrishna, Greg DiPrisco

Reviews

Don’t take it from us. Here’s what our customers have had to say: