Sherlock V2
  • ๐Ÿ‘‹Intro to Sherlock
  • ๐Ÿ™‹FAQ
  • ๐Ÿ“šGlossary
  • โ€ผ๏ธDisclaimers
  • Audits
    • ๐Ÿง‘โ€๐Ÿ’ปProtocol Teams
      • How it Works for Protocols
      • Audit Timeline
      • Scheduling Process
      • Audit Preparation
      • Protocol Involvement During the Audit Process
      • Protocol Involvement Post-Audit
      • Rescheduling and Cancellations
      • Interim Updates and Upgrades
    • ๐Ÿ•ต๏ธWatsons
      • Lead Senior Watson Selection Process
      • Fix Review Process
      • Contest Points
      • How to Score Issue Points in a Contest
      • Meeting the Payout Criteria
      • First Blood Pot
      • Leaderboard Points Example
      • FAQ
    • ๐Ÿง‘โ€โš–๏ธJudging
      • Judging Conduct Guidelines
      • Criteria for Issue Validity
        • Criteria Changelog
      • Lead Judge
      • ๐Ÿง‘โ€โš–๏ธCommunity Judging
      • Dedicated Judge
      • Discussion
      • Sherlock's Exclusive Judging Apprentice Program
    • ๐ŸคReferral Program
  • Bug Bounties
    • ๐ŸŒฑPre-Launch Bounty
    • ๐Ÿš€Post-Launch Bounty
      • ๐Ÿ“œPlatform Rules
      • โš–๏ธDispute Resolution
  • Coverage
    • ๐Ÿ›ก๏ธSherlock Shield
    • ๐Ÿ’ฐStakers
      • Overview
      • Lockup Period
      • Payout Flow
      • Staking APY
    • ๐Ÿง‘โ€๐Ÿ’ปProtocol Teams
      • Getting Started
      • Coverage Premiums
      • Pricing
      • Composability and Coverage
      • Payout Flow
      • FAQ
    • ๐Ÿ“Claims
      • Claims Process
  • Tokens
    • SHER
    • Receipt NFTs
  • Governance
    • Roles
  • Developer
    • Overview
    • Stake Position Lifecycle
    • Claim Lifecycle
    • Protocol Lifecycle
    • SHER Distribution
    • Deployed Contracts
    • Contract Reference
    • Audits
Powered by GitBook
On this page
  1. Audits
  2. Protocol Teams

How it Works for Protocols

PreviousProtocol TeamsNextAudit Timeline

Last updated 12 months ago

Whether this is your protocolโ€™s first audit before launching on mainnet, or latest version, Sherlockโ€™s audit experience is designed to provide the familiarity of a traditional audit, with drastically better results.

A protocolโ€™s audit process:

The timeline for a Sherlock audit
  1. You can request an audit . Sherlock can usually start an audit within 3 days.

  2. Sherlock will contact you to discuss your audit scope, expected timeline, and requirements to get an audit started (check out Sherlock's for items Sherlock requires to start an audit).

  3. Sherlock conducts an initial assessment and provides you with a quote based on the length of time required for the audit.

  4. You then reserve your audit slot by putting down a refundable deposit for 25% of the cost of the audit.

  5. Three days before the audit starts, you send Sherlock the final commit, branch, contracts, and the remaining portion of the audit deposit.

  6. Once the audit contest portion of the audit begins, Sherlock will ask your team to be available to answer questions from security experts (mostly in a Discord channel).

  7. Immediately after the audit contest ends, the judging contest starts. The judging contest will last a variable number of days, depending on the number of issues submitted. After the judging contest ends, Sherlock will provide you with a curated, de-duplicated list of all High and Medium-severity findings.

  8. You then have 72 hours to acknowledge and indicate which submitted issues you intend to fix and schedule a fix review to be completed within 3 weeks.

  9. Sherlock asks that you implement any fixes (a separate PR for each issue being fixed) and deliver the new commit hash to Sherlock 24 hours before your fix review starts. We also ask that you comment on each open issue (in the Sherlock repo) with a link to the PR that fixes that issue.

  10. Around the same time as Step #9, Sherlock runs an "Escalation Period" where security experts can stake USDC and flag any issues that they think were not categorized correctly for a second opinion.

  11. Post-fix review, you will receive sign-off to launch on mainnet and a final report, which gives you the option to add coverage at any point in the future.

  12. Sherlock works with you to get your coverage and bug bounty live (if you decide you want smart contract exploit coverage).

Important timeline considerations The length of the audit contest itself will be communicated to the protocol team as part of the initial quote/scoping. However, the post-contest process can take a couple days, or it can take a few weeks, depending on the number of issues found: Audit Contest: Communicated in the quote/scoping Judging Contest: Variable number of days immediately after audit contest Issue Verification: Depends on the number of issues submitted, but could take 1 day or could take 7 days (also depends on the productivity of the protocol team) Issues fixes: Depends on the number of valid issues, but could take 1 day or could take 1-2 weeks (also depends on the productivity of the protocol team) Escalation Period: Once the issues have been verified, this is a "double-checking" process that takes 48-72 hours in total and usually occurs while the protocol team is fixing issues. Fix review: This will be done by the Lead Senior Watson if it can be accomplished in 1 day or less. If not, Sherlock suggests a small follow-up audit contest. Could take as little as 1 day, or it could take 1-2 weeks to schedule and complete (depending on number of issues and Lead Senior Watson availability, etc.) Generally, Sherlock recommends a protocol team not expect to deploy/launch their protocol until 2-3 weeks after the audit contest finishes. However, if not issues are found, a protocol team could launch as soon as 3 days after the audit contest ends.

๐Ÿง‘โ€๐Ÿ’ป
here
Audit Requirements Checklist