Exploit Flow
When an exploit is thought to have occurred, Sherlock will work with the protocol to determine the nature of the exploit. Sherlock security experts and the protocol’s core dev team will work together to uncover as much information as possible about the exploit (once the threat itself has been neutralized). Ultimately, the decision around the nature of the exploit and the payout will be determined by the Sherlock claims process.
The first step is the claims committee. The claims committee will use information provided by Sherlock security experts and the protocol’s dev team as well as conduct their own analysis about the nature of the exploit. They will then determine what “type” of exploit it was and whether it falls under a coverage bucket that the protocol purchased (using the initially agreed-upon coverage agreements). If the exploit does not fall under coverage, no payout occurs. If the exploit does fall under coverage, Sherlock will work with the protocol to determine the exact USD amount to be repaid.
If a protocol wants to dispute the decision of the claims committee, the claims process gets escalated to UMA's DVM. More on this can be found in the Deciding on Payouts section.
The initial coverage agreement will also specify the token to be paid by Sherlock for an exploit. Sherlock will reimburse the protocol (beyond the value of their deductible) with funds from Sherlock's “first-money-out” pool to begin with, and finally from the staking pools.
Each USD value of token in each staker pool will be equally discounted to pay back the hack. For example, if there are staker pools with $10M DAI in one and $40M ETH in the other and $5M needs to be paid out for an exploit, $1M will be taken from the DAI pool and $4M from the ETH pool. The tokens will be swapped into the agreed-upon currency to repay the hacked protocol. Note: Because only USDC is accepted during the guarded launch, this section is not relevant.
The payout can be sent directly to the protocol (their governance) or, if the protocol may still be compromised, it can be arranged to transfer the funds directly to the addresses of the victims.
Last modified 1mo ago
Copy link