Sherlock V2
  • 👋Intro to Sherlock
  • 🙋FAQ
  • 📚Glossary
  • ‼️Disclaimers
  • Audits
    • 🧑‍💻Protocol Teams
      • How it Works for Protocols
      • Audit Timeline
      • Scheduling Process
      • Audit Preparation
      • Protocol Involvement During the Audit Process
      • Protocol Involvement Post-Audit
      • Rescheduling and Cancellations
      • Interim Updates and Upgrades
    • 🕵️Watsons
      • Lead Senior Watson Selection Process
      • Fix Review Process
      • Contest Points
      • How to Score Issue Points in a Contest
      • Meeting the Payout Criteria
      • Leaderboard Points Example
      • FAQ
    • 🧑‍⚖️Judging
      • Judging Conduct Guidelines
      • Criteria for Issue Validity
        • Criteria Changelog
      • Lead Judge
      • 🧑‍⚖️Community Judging
      • Dedicated Judge
      • Discussion
      • Sherlock's Exclusive Judging Apprentice Program
    • 🤝Referral Program
  • Bug Bounties
    • 🌱Pre-Launch Bounty
    • 🚀Post-Launch Bounty
      • 📜Platform Rules
      • ⚖️Dispute Resolution
  • Coverage
    • 🛡️Sherlock Shield
    • 💰Stakers
      • Overview
      • Lockup Period
      • Payout Flow
      • Staking APY
    • 🧑‍💻Protocol Teams
      • Getting Started
      • Coverage Premiums
      • Pricing
      • Composability and Coverage
      • Payout Flow
      • FAQ
    • 📝Claims
      • Claims Process
  • Tokens
    • SHER
    • Receipt NFTs
  • Governance
    • Roles
  • Developer
    • Overview
    • Stake Position Lifecycle
    • Claim Lifecycle
    • Protocol Lifecycle
    • SHER Distribution
    • Deployed Contracts
    • Contract Reference
    • Audits
Powered by GitBook
On this page
  1. Coverage
  2. Protocol Teams

Payout Flow

PreviousComposability and CoverageNextFAQ

Last updated 1 year ago

If a covered bug bounty submission or exploit is thought to have occurred at a covered protocol, the protocol can submit a claim to Sherlock.

Some of the Sherlock Watsons can be expected to work alongside the core devs to initially mitigate the attack vector if it is still exploitable. Once the exploit has been mitigated, the Watsons will work to understand the bug bounty report or exploit's cause and magnitude. From this process, a protocol will have a good sense of whether the bug bounty or exploit experienced is covered by Sherlock, and thus a claim should be submitted. The Watsons can help with the general claim submission process (info required) as well as choosing the correct timestamp and amount that should be submitted.

Details about Sherlock's full claim process can be found . The first stage of the claims review is the decision made by the Sherlock Protocol Claims Committee (SPCC). If the protocol disagrees with the SPCC decision, the protocol can post a bond of ~$22k and escalate the claim to UMA's Optimistic Oracle. This allows the protocol to have access to an unbiased, third-party judgment on whether the claim should be paid out or not.

If a claim should be paid out, the payout will go to the address specified by the protocol (protocol agent) when the claim was initiated.

Note: The address that submits a claim will be linked to the claim throughout the claim's lifecycle. This is noteworthy because a protocol can update their "agent" address, but any claim that is started will have to finish with the old address. Basically, this means a protocol team shouldn't start a claim with an address that they might lose access to before the claim is resolved (a matter of weeks at most).

After an Exploit

When the dust has settled from an exploit and the claim has been resolved, the initial coverage agreement will become void.

Note: Coverage amounts through Sherlock do not automatically regenerate after a payout.

In order to reactivate the coverage agreement, a new agreement must be entered into with Sherlock. This allows Sherlock to re-assess the risk of any protocol after they've suffered a large exploit and update the premium accordingly.

🧑‍💻
here