Sherlock is primarily an audit and contest platform. Its cover product, Sherlock Shield, pays out only for exploits in code Sherlock itself audited, is capped at $500,000, and is sold to protocol teams, not end users. This profile examines how much protection that promise really contains. Facts, not advice.
A narrow but transparently framed product. The dispute process with UMA escalation is a distinctive design and the Euler payout is a documented track record. On the other side, coverage is capped at $500k, terms are private per engagement, and Sherlock states that neither payment nor availability of funds is guaranteed.
How to read this page: where each value comes from
Only on-chain values are verifiable without trusting anyone. Everything off-chain, including binding documents, ultimately relies on trust in the source.
Reading the chain…
The key structural point: Shield is an accessory to the audit business, not a standalone insurance pool. Coverage exists only for code Sherlock audited, the amount depends on how clean the audit was, and the buyer is the protocol team. For a DeFi user this product provides no direct claim at all.
No public, binding cover wording exists; the following is compiled from provider documentation. Final terms are set per engagement and are not public, which is itself a finding.
Disputes run through a three-tier system: first a Sherlock Bounty Judge (core team member), then the Sherlock Protocol Claims Committee (7 members, enforced as a 4-of-7 multisig, one week to decide), and finally the UMA Optimistic Oracle, where tens of thousands of UMA tokenholders vote. The top tier is genuinely independent of Sherlock, but reaching it costs roughly $15k. The first two tiers are Sherlock-internal or Sherlock-appointed.
A structured assessment across seven categories, 0 to 100 points in total. The score is an opinion based on the sources below, not a probability of payout and not a guarantee.
The coverage amount is genuinely checkable: the score formula and contest findings are public, so the possible cap can be recomputed by anyone (see worked example below). But what triggers a payout is not: no public binding wording, no event catalogue, final terms private per engagement.
Sherlock itself states that availability of funds is not guaranteed. The V2 staking pool that historically paid claims is readable live above and holds only a fraction of former reserves; whether Shield payouts still run through it is not public. Against that, caps are small ($500k max), which limits the promise and the required capital alike.
The UMA escalation is the most independent top instance in the market and the Euler case proves the pipeline can move millions. Deduction: the first two tiers are Sherlock-internal, escalation costs money, and there is no public claims database.
Sherlock is itself a leading audit house and its coverage protocol runs on Ethereum mainnet. But audits of the current Shield contracts, their upgrade paths and admin rights were not publicly verifiable in this analysis.
A company, not a DAO: Sherlock holds full discretion over platform participation, committee composition can change, and there is no member governance over claims. The 4-of-7 committee multisig is a real but limited check.
Unlike a discretionary mutual there is a real bilateral contract between Sherlock and the protocol team. But the terms are private, explicitly not insurance, and disclaim guaranteed payment, so enforceability cannot be assessed from outside.
The audit side is radically transparent: contests, prize pots, scope repos and every judged finding are public. The cover side is the opposite: no capital data, no claims database, no published wording. The gap shows this is a choice, not a culture problem, and that weighs on the rating.
No complete public product terms: coverage is governed by private, per-engagement agreements. Under the Assecura methodology this alone triggers an automatic warning.
No public information about the capital backing payouts, and Sherlock itself disclaims guaranteed availability of funds: the second automatic warning.
The 2023 Euler payout consumed roughly 90% of reserves per press reporting; the current balance of the staking pool is readable live above. The old capital model effectively died with its first big claim.
The first two claim instances (Bounty Judge, claims committee) are Sherlock-internal or Sherlock-appointed; independence only begins at UMA, behind a roughly $15k escalation fee.
End users are never entitled to anything: payouts go to protocol teams, and Sherlock explicitly warns that users should not assume reimbursement.
The auditor insures its own audit: if a covered exploit occurs, Sherlock pays for its own miss. That aligns incentives before launch but creates a conflict of interest in claims assessment.
Points this analysis could not verify. Anyone buying significant cover should clarify these first.
Analysis as of 2026-07-14. Live figures update every 5 minutes from the contracts. Not affiliated with Sherlock. Informational only, no legal, investment or insurance advice.