Cover analysis · Sherlock

The audit shop
that backs its work.

Sherlock is primarily an audit and contest platform. Its cover product, Sherlock Shield, pays out only for exploits in code Sherlock itself audited, is capped at $500,000, and is sold to protocol teams, not end users. This profile examines how much protection that promise really contains. Facts, not advice.

42/100 Weak

A narrow but transparently framed product. The dispute process with UMA escalation is a distinctive design and the Euler payout is a documented track record. On the other side, coverage is capped at $500k, terms are private per engagement, and Sherlock states that neither payment nor availability of funds is guaranteed.

Data confidence: low · Assessment as of 2026-07-14 · Methodology: Assecura Score

How to read this page: where each value comes from

On-chain Read from contracts, verifiable by anyone at any time.
Contract doc From a binding written document, off-chain but checkable.
Provider claim Stated by the provider, off-chain: a matter of trust.
Third party From a third-party source, off-chain: a matter of trust.
Our assessment Our judgement under the Assecura methodology.

Only on-chain values are verifiable without trusting anyone. Everything off-chain, including binding documents, ultimately relies on trust in the source.

Live on-chain On-chain

Reading the chain…

Profile

Provider Sherlock (audit firm plus coverage protocol on Ethereum) Provider claim
Product analysed Sherlock Shield: exploit payout coverage for Sherlock-audited code Our assessment
Who is covered Protocol teams only. Sherlock states explicitly: users should not assume they will be reimbursed Provider claim
Legal nature Not insurance (own disclaimer). Coverage governed solely by private, per-engagement written terms Provider claim
Maximum coverage $500,000 per codebase, tiered down to $1,000 based on audit findings score Provider claim
Payout guarantee None. Sherlock: "does not guarantee payment or the availability of funds" Provider claim
Claims settlement Payouts run through the on-chain claims process of the Sherlock protocol on Ethereum mainnet Provider claim

The key structural point: Shield is an accessory to the audit business, not a standalone insurance pool. Coverage exists only for code Sherlock audited, the amount depends on how clean the audit was, and the buyer is the protocol team. For a DeFi user this product provides no direct claim at all.

What is covered Provider claim

No public, binding cover wording exists; the following is compiled from provider documentation. Final terms are set per engagement and are not public, which is itself a finding.

1 covered 2 conditional 4 excluded
Covered
Exploit in Sherlock-audited code Core promise: covered issues in the audited, fix-reviewed scope during the chosen coverage window.
Excluded
Code outside the audited scope Only audited and approved contracts qualify; scope defines the protection boundary.
Excluded
Changes deployed after the audit Upgrades, new deployments and config changes after review change the risk profile and fall outside coverage.
Excluded
Losses above the coverage cap Hard cap of $500k; at Euler, the $4.5M payout equalled roughly 2% of the $200M loss.
Excluded
End-user losses Payouts go to the protocol team; Sherlock does not control whether users are made whole.
Conditional
Oracle failure, governance attacks, depegs No public event catalogue; whether an event qualifies depends on the private engagement terms.
Conditional
Phishing, key theft, frontend attacks Not addressed in public documentation; presumably outside the audited-code promise. Not verifiable.

Conditions attached Provider claim

Eligibility Completed Sherlock audit plus approved fix review; Shield is neither automatic nor free
Coverage amount Score-based: Medium finding = 1 point, High = 5 points, audit-type multiplier; 0 points = $500k, 30+ points = $1k
Coverage window Team selects a time-bound protection window; coverage applies only within it
Dispute costs Escalation to the claims committee costs $1k, to the UMA Optimistic Oracle roughly $15k
Negotiation Supervised negotiation allowed, capped at 14 days, only in Sherlock-moderated channels
Worked example (checkable) Gamma Staking contest, May 2024: 0 High and 2 Medium valid findings per the public judging repo. Points: 2 x 1 = 2, below 3 even after any audit-type multiplier, so up to $250,000 Shield coverage. Because contest results are public, this part of the promise is verifiable by anyone; whether Gamma actually bought Shield is not public.

Who decides on claims Provider claim

Disputes run through a three-tier system: first a Sherlock Bounty Judge (core team member), then the Sherlock Protocol Claims Committee (7 members, enforced as a 4-of-7 multisig, one week to decide), and finally the UMA Optimistic Oracle, where tens of thousands of UMA tokenholders vote. The top tier is genuinely independent of Sherlock, but reaching it costs roughly $15k. The first two tiers are Sherlock-internal or Sherlock-appointed.

Assecura Score Our assessment

A structured assessment across seven categories, 0 to 100 points in total. The score is an opinion based on the sources below, not a probability of payout and not a guarantee.

Coverage clarity 9/20

The coverage amount is genuinely checkable: the score formula and contest findings are public, so the possible cap can be recomputed by anyone (see worked example below). But what triggers a payout is not: no public binding wording, no event catalogue, final terms private per engagement.

Capital & liquidity 4/20

Sherlock itself states that availability of funds is not guaranteed. The V2 staking pool that historically paid claims is readable live above and holds only a fraction of former reserves; whether Shield payouts still run through it is not public. Against that, caps are small ($500k max), which limits the promise and the required capital alike.

Claims process 9/15

The UMA escalation is the most independent top instance in the market and the Euler case proves the pipeline can move millions. Deduction: the first two tiers are Sherlock-internal, escalation costs money, and there is no public claims database.

Technical security 7/15

Sherlock is itself a leading audit house and its coverage protocol runs on Ethereum mainnet. But audits of the current Shield contracts, their upgrade paths and admin rights were not publicly verifiable in this analysis.

Governance 4/10

A company, not a DAO: Sherlock holds full discretion over platform participation, committee composition can change, and there is no member governance over claims. The 4-of-7 committee multisig is a real but limited check.

Legal enforceability 5/10

Unlike a discretionary mutual there is a real bilateral contract between Sherlock and the protocol team. But the terms are private, explicitly not insurance, and disclaim guaranteed payment, so enforceability cannot be assessed from outside.

Transparency & data quality 4/10

The audit side is radically transparent: contests, prize pots, scope repos and every judged finding are public. The cover side is the opposite: no capital data, no claims database, no published wording. The gap shows this is a choice, not a culture problem, and that weighs on the rating.

Total 42/100 · Weak

Red flags Our assessment

01

No complete public product terms: coverage is governed by private, per-engagement agreements. Under the Assecura methodology this alone triggers an automatic warning.

02

No public information about the capital backing payouts, and Sherlock itself disclaims guaranteed availability of funds: the second automatic warning.

03

The 2023 Euler payout consumed roughly 90% of reserves per press reporting; the current balance of the staking pool is readable live above. The old capital model effectively died with its first big claim.

04

The first two claim instances (Bounty Judge, claims committee) are Sherlock-internal or Sherlock-appointed; independence only begins at UMA, behind a roughly $15k escalation fee.

05

End users are never entitled to anything: payouts go to protocol teams, and Sherlock explicitly warns that users should not assume reimbursement.

06

The auditor insures its own audit: if a covered exploit occurs, Sherlock pays for its own miss. That aligns incentives before launch but creates a conflict of interest in claims assessment.

Open questions Our assessment

Points this analysis could not verify. Anyone buying significant cover should clarify these first.

Sources

Analysis as of 2026-07-14. Live figures update every 5 minutes from the contracts. Not affiliated with Sherlock. Informational only, no legal, investment or insurance advice.