There are three important stages of an exploit:
- 1.The rumor of the exploit
- 2.When the claim gets submitted
- 3.When the exploit gets paid out
Only stakers who are still locked up during the third phase will have to pay out. Any staker who unstakes funds before the actual payout (because they are in an unstaking window) will not have to pay out the exploit.
Each covered protocol will have a policy that is targeted to be 50% or less of the total Sherlock staking pool. This ensures that any single exploit event at any single protocol can cause a payout for a maximum of 50% of the staking pool. More than 50% of the staking pool can be used for a payout if multiple covered protocols experience covered hacks in a short timeframe.
However, if the size of the exploit (specifically the funds lost) is smaller than the total coverage amount at a protocol, the size of the payout will be a fraction of the 50% maximum. Also, if an exploit becomes possible on multiple protocols due to a chain bug (i.e. a bug in Ethereum L1), then no more than 50% of the staking pool can be used to repay those exploits, even if individual protocols had policies that aggregate to a sum that is larger than 50% of the staking pool.