Skip to content

Latest commit

 

History

History
19 lines (10 loc) · 2.23 KB

exploit-flow.md

File metadata and controls

19 lines (10 loc) · 2.23 KB

Payout Flow

If a covered bug bounty submission or exploit is thought to have occurred at a covered protocol, the protocol can submit a claim to Sherlock.

Some of the Sherlock Watsons can be expected to work alongside the core devs to initially mitigate the attack vector if it is still exploitable. Once the exploit has been mitigated, the Watsons will work to understand the bug bounty report or exploit's cause and magnitude. From this process, a protocol will have a good sense of whether the bug bounty or exploit experienced is covered by Sherlock, and thus a claim should be submitted. The Watsons can help with the general claim submission process (info required) as well as choosing the correct timestamp and amount that should be submitted.

Details about Sherlock's full claim process can be found here. The first stage of the claims review is the decision made by the Sherlock Protocol Claims Committee (SPCC). If the protocol disagrees with the SPCC decision, the protocol can post a bond of ~$22k and escalate the claim to UMA's Optimistic Oracle. This allows the protocol to have access to an unbiased, third-party judgment on whether the claim should be paid out or not.

If a claim should be paid out, the payout will go to the address specified by the protocol (protocol agent) when the claim was initiated.

Note: The address that submits a claim will be linked to the claim throughout the claim's lifecycle. This is noteworthy because a protocol can update their "agent" address, but any claim that is started will have to finish with the old address. Basically, this means a protocol team shouldn't start a claim with an address that they might lose access to before the claim is resolved (a matter of weeks at most).

After an Exploit

When the dust has settled from an exploit and the claim has been resolved, the initial coverage agreement will become void.

Note: Coverage amounts through Sherlock do not automatically regenerate after a payout.

In order to reactivate the coverage agreement, a new agreement must be entered into with Sherlock. This allows Sherlock to re-assess the risk of any protocol after they've suffered a large exploit and update the premium accordingly.