Sherlock is a new type of security solution for protocol teams.
Sherlock provides teams with all the tools they need to securely launch decentralized apps:
With these tools, protocol teams are set up for success and can get back to building. Even further, the users of those protocols can sleep easier knowing there is recourse even if a bug slips through the protocol’s strict security practices.
The Sherlock team thinks Web3/crypto/DeFi will be one of the greatest positive influences on the world in the 21st century. DeFi has the ability to give anyone with an internet connection access to cutting edge financial tools and currencies. NFTs and Web3 gaming democratize access to wealth for artists and gamers. And soon, Web3 social media will ensure everyone has a voice.
There are 3 big problems that prevent this vision from becoming reality:
The Sherlock team thinks the “Security” category has garnered the least attention and little has changed in the last 5 years. It is time for a new approach.
Sherlock’s mission is to make crypto safe for everyone.
This means starting with users. Sherlock is designed with end users in mind. The Sherlock team believes that users shouldn’t have to deal with security considerations (like smart contract coverage) at all.
This is why Sherlock takes a protocol-to-protocol approach. The best way to protect users is to make it as easy as possible for protocol teams to use industry-leading security practices and provide recourse for exploits.
Exploits in crypto are causing billions of dollars per year in damages.
There are 3 parties in the Sherlock ecosystem:
Sherlock helps protocols who want coverage by connecting them with external audit firms as well as through Sherlock’s own “red team” security review process, conducted by the Watsons (Sherlock’s whitelisted security reviewers). The Watsons do a fundamental security assessment of each prospective protocol and provide input to the pricing of coverage.
This process has a dual purpose:
If an exploit occurs on a covered protocol’s codebase, capital provided by stakers is used to repay the bug bounty or exploit (up to the agreed-upon coverage amount).
In the meantime, stakers receive APY from 3 sources:
Detailed info on the design and mechanisms can be found in the docs.
When the worst case happens, how does a protocol trust that Sherlock will repay the lost funds?
Good news, it doesn’t have to.
Sherlock’s V2 claims process is completely trustless.
A protocol can submit a claim at any time, and if either of two “committees” decide the exploit falls within the terms of the coverage agreement (example agreement here), the funds are automatically transferred to the protocol’s chosen address. No trust in Sherlock is required.
The two committees are:
While not a panacea, a protocol team should feel good about at least one of these committees making the correct choice when it counts.
Unfortunately, Sherlock can’t use its own staking pool to stay secure.
Because of this, Sherlock’s V2 codebase is one of the smallest and simplest codebases in DeFi. We let our customers have the fun, while Sherlock itself stays extremely conservative in terms of development:
In terms of audits, we’ve tried to get the largest number of skilled auditors to look at the V2 codebase:
We’ve publicly announced coverage with Euler (lead investor: Paradigm), Opyn (lead investor: Paradigm), Primitive (lead investor: Framework), Teller (lead investor: Framework) and new coverage starting on Feb 15th with Tempus (lead investor: Lemniscap). Look out for more announcements in the coming weeks. The demand for coverage has been strong and we’ve been struggling to keep up.
We have also had to turn down the vast majority of protocols that approach us for coverage because of the high bar we set around security practices. This should be a temporary phenomenon as many of those protocols are now working to clear the bar and Sherlock is working on a few tools that can help new protocols understand and clear the bar more easily.
The Sherlock team is strong and growing. The founders of Sherlock marry years of experience investing in banks and insurance companies at Citadel with years of experience writing Solidity contracts on Ethereum (since 2018) and working in cybersecurity.
The rest of the core team has relevant experience such as investing in cybersecurity at Mark Asset Management, years of Silicon Valley engineering experience and nearly everyone has been an entrepreneur at some point.
We believe the collective background of the team is the right one to create a new archetype of smart contract security in crypto.
Sherlock is lucky to have the support of some of the most talented angels, VCs and advisors in crypto:
Don’t take it from us. Here’s what our customers have had to say: