The goal of this guide is to provide relevant information for prospective Sherlock stakers.
Note: “Staking” in Sherlock is synonymous with capital provision. Stakers deposit USDC into Sherlock’s smart contracts.
Stakers take on the risk of payouts for protocols covered by Sherlock. Basically, protocol teams pay “premiums” to Sherlock in order to have the privilege to submit claims when a covered smart contract hack occurs in their protocol.
In return for this risk, stakers earn APY in the form of premiums, yield strategies, and incentives.
Many of the graphics in this article can be found on the Sherlock dashboard.
Current staking APY: 20%
APY paid in USDC: 10%
Note: This chart shows only the USDC APY. It might not match the 10% USDC APY target (it should be higher) because Sherlock has not reached its TVL target for the staking pool yet.
APY paid in SHER tokens: 10%
SHER tokens are all paid out of the Sherlock treasury as incentives
The SHER token has not been listed on any exchanges yet, so the 10% APY number is based off of Sherlock’s seed round ($55M SHER network valuation)
Maximum payout for a covered event: 50%
As a staker, you can lose up to 50% of your capital on a single smart contract exploit.
This risk is mitigated in a few ways:
Most protocols do not use up the maximum amount of coverage, therefore even their largest payout won’t approach 50%
Every protocol has a $1M bug bounty (with 10% of economic damage limits) to ensure that if a whitehat finds a bug, the maximum payout should be closer to 5-10% than 50%
Of course, Sherlock runs the most thorough audit process in the industry to ensure that the risk of an on-chain exploit approaches 0% as much as possible
Minimum stake length: 6 months
Every staker must stake their capital for at least 6 months
After 6 months, there will be a 2-week period where a staker may withdraw their capital, otherwise it will be re-staked for another 6 months
Claims submitted by covered protocols: 0
USDC paid out for exploits: 0
USDC paid out for bug bounties: 0
Current staking pool size: ~11M USDC (see Staking Pool for latest value)
Staking pool cap (when incentives end): 15M USDC
Covered protocols: 6 (see Covered Protocols for latest value)
What’s the process for when a covered protocol gets hacked?
If a protocol team experiences a loss of funds in their protocol, they can submit a claim to Sherlock. The coverage agreement with each protocol decides whether the loss of funds is a covered event or not. Sherlock is focused on mitigating smart contract risk, so Sherlock only covers bugs related to smart contracts, not frontends, loss of admin keys, rug pulls, etc. Economic events like liquidations, TWAP manipulations, etc. are also not covered. A rule of thumb is that the bug would need to be fixed by altering the smart contract code; if there is no “fix” to be made in the smart contracts, Sherlock likely doesn’t cover it.
The interpretation of the coverage agreement is done by two parties. First, a protocol team submits their on-chain claim and it goes to a 4-of-7 multi-sig. The members of that multi-sig are listed here. As you’ll notice, most of the multi-sig members do not work at Sherlock, but they are smart contract security experts. The idea is that this multi-sig will make an unbiased decision as to whether a claim should get paid out or not.
If a protocol team disagrees with the decision of the 4-of-7 multi-sig, they can pay a fee to escalate the claim to UMA’s Optimistic Oracle. Instead of unbiased individuals in a multi-sig, this is an unbiased DAO whose members have nothing to do with Sherlock. The entire point of this DAO is to adjudicate disputes and any member of the DAO can stake their tokens to vote. The market cap of this DAO is currently ~$236M, so it is quite expensive to manipulate.
If a claim is denied (by UMA or by the 4-of-7 multi-sig and the protocol team doesn't escalate), then nothing happens. A protocol team can only submit a claim for a specific amount at a specific attack timestamp once, so the idea is that they cannot resubmit a claim for the same attack over and over (except to adjust the amount claimed). If a claim is accepted, then the smart contracts transfer the claimed amount to an address of the protocol team’s choosing, and it is up to the protocol team to distribute the funds evenly to affected users of their protocol.
Again, a claim for greater than 50% of the staking pool cannot be made (except under specific circumstances where multiple exploits happen at different protocols in quick succession). And bug bounty payouts are capped at around 5-10% of the staking pool (depending on the size of the staking pool).
What is the External Coverage shown in the Sherlock dashboard?
Sherlock has partnered with Nexus Mutual to diversify some of our coverage to their capital pool. Right now, all large coverage amounts are shared 25% by Nexus Mutual. For example, if Sherlock was covering a protocol for 10M USDC, then Sherlock stakers would be covering that protocol for 7.5M USDC, and Nexus would be covering that protocol for 2.5M USDC (25%). This partnership is helpful to Sherlock because it’s a great source of coverage at a time when staking capital is expensive.
If Sherlock were covering a protocol for 10M USDC and had a payout, some of the payout would be borne by Nexus Mutual. Nexus Mutual has a 500k USDC deductible with Sherlock, so the first 500k USDC is borne entirely by Sherlock’s staking pool. After that, 75% is covered by Sherlock’s staking pool and 25% is covered by Nexus Mutual. On a 10M USDC example payout this would mean that Sherlock covers 7.625M USDC of the payout and Nexus would cover 2.375M USDC of the payout.
How can I stake?
Go to the “Stake” page on the Sherlock app (note the staking page is blocked for US IP addresses)
Enter the USDC amount you’d like to stake
Select “6 months” or “12 months” for the lockup period
Click “Approve” to allow the Sherlock smart contracts to access your USDC and complete the on-chain transaction
Click “Stake” and complete the on-chain transaction
Once the “Stake” transaction completes (and the frontend updates) you should see your staked USDC in the Positions tab.
Note: In rare cases, you may need to increase the gas limit for the transaction to ~45,000 so that the transaction does not revert.
After 6 months, you’ll have the opportunity to “Unstake” or “Restake” your position. Either operation will follow a similar process to the “Stake” operation and all earned interest and SHER tokens will be automatically sent to your wallet on either “Unstake” or “Restake.”