⚖️Dispute Resolution

Bug Bounty Dispute Resolution

From time to time, the submitter of a vulnerability will disagree with the protocol team about the owed payout amount. Because of incentives, this situation may occur somewhat frequently.

Sherlock has created a system designed to maximize fairness while promoting and allowing for an environment of goodwill and friendliness between a submitter, protocol team, and any other party involved. Because of this, any participant in the system who seems to be acting in bad faith (badgering, threatening, harassing, etc.) may be removed (banned) from the Sherlock platform. Sherlock maintains full discretion in removal decisions.

3-Tiered Court System

The Sherlock Dispute Resolution process can roughly be thought of as a 3-tier court system:

• District/local courts (Sherlock Bounty Judge)

• Circuit/regional courts (7-member Sherlock Protocol Claims Committee)

• Supreme Court (UMA Optimistic Oracle)

Level 1: Sherlock Bounty Judge

Once a bug is submitted and the Sherlock team has been involved, the Sherlock Bounty Judge will eventually decide on the bug's validity and payout amount. The Sherlock Bounty Judge is a member of the Sherlock core team. They will make a decision after examining all facts and evidence presented by the report submitter, protocol team, and designed security expert reviewer.

This is similar to other bug bounty platforms. And it’s not great because anyone who works at the bug bounty platform itself may be biased. If a bug gets paid out, the platform makes money. If not, the platform makes no money.

That’s why there are 2 more levels to the Sherlock system.

But before we get to the 2nd layer, a decision on validity and payout amount will be made by the Sherlock Bounty Judge. If the issue is deemed invalid or the payout amount is less than desired, the issue submitter has a few options:

1. Do nothing and abide by the decision

2. Enter into a limited (Sherlock-supervised) negotiation with the protocol team

3. Pay $1k to escalate the issue to the 2nd level of the court system: the Sherlock Protocol Claims Committee

On the other hand, if the issue is deemed valid and the payout amount is higher than desired, the protocol team has a few options:

1. Abide by the decision and pay the requested amount

2. Enter into a limited (Sherlock-supervised) negotiation with the protocol team

3. Pay $1k to escalate the issue to the 2nd level of the court system: the Sherlock Protocol Claims Committee

4. “Ghost” Sherlock and the submitter and eventually get removed from the Sherlock platform (Note: Sherlock may attempt to enforce any terms of the legal agreement)

Level 2: Sherlock Protocol Claims Committee

The current members of the Sherlock Protocol Claims Committee can be found here. This committee is enforced by a 4 of 7 multisig and the members may change in the future.

The Sherlock Protocol Claims Committee has been in existence for over 3 years and has shown itself to be trusted with multi-million dollar situations in Sherlock’s smart contract coverage protocol.

The Sherlock Protocol Claims Committee will have 1 week to come to a decision.

Level 3: UMA Optimistic Oracle

But of course, these members may have certain biases or may not come to a decision that the submitter or protocol team agrees with. In that case, either the submitter or protocol team may pay ~$15k to escalate the decision to the 3rd level of the Sherlock Dispute Resolution process: the UMA Optimistic Oracle.

The UMA Optimistic Oracle is best explained here. It is the same mechanism that Polymarket uses to resolve disputed markets that may be worth hundreds of millions of dollars. Sherlock believes it is the best and most trusted third-party dispute resolution system in crypto at the time of writing.

Negotiation

The vast majority of legal cases in the world are settled before going to court. Sherlock hopes that the 2nd and 3rd tiers of the Sherlock Dispute Resolution process are rarely used.

That’s why Sherlock allows for a limited period of negotiation as an alternative to escalating to the SPCC or UMA Optimistic Oracle. However, the negotiation MUST take place in the Sherlock-approved channel where Sherlock can view and moderate the discussion.

Negotiation must not last longer than 14 days before an alternative option (pay the requested bounty, accept the decision, escalate to the 2nd or 3rd tier) must be selected. Negotiation must remain “good faith” and cordial.