This article is more than one year old

DeFi insurer Sherlock teeters on the edge after reserves fall 90%

Sherlock, a platform that insures the integrity of computer code powering DeFi protocols, is in dire straits. Over the last year, its reserves have fallen by 90%, to $3 million.

The cause: Sherlock got the one thing wrong that an insurer cannot get wrong — pricing risk.

In March, Sherlock paid out a $4.5 million claim to Euler Finance after its code was exploited for a $200 million loss. This incident left Sherlock with only $2.9 million left in its coffers, according to the platform’s dashboard.

With Sherlock currently providing $16.5 million worth of coverage to almost a dozen different protocols, a big claim from just one of them could push the platform into a position where it can no longer honour its contracts.

Sherlock’s survival

“Sherlock will not survive if depositors can’t be attracted,” Sherlock co-founder Jack Sanford told DL News. “Payouts like Euler are an existential risk to Sherlock’s survival, because the protocol payments to date have not been nearly enough to make up for the loss.”

Sherlock’s woes couldn’t have struck at a worse moment. The need for exploit coverage in DeFi is stronger than ever. Last year, hackers stole over $3.2 billion from DeFi protocols, with several nine-figure exploits resulting from code vulnerabilities.

DeFi protocol losses from hacks.

With the crypto market rallying, the money flowing into DeFi is likely to increase, making protocols even bigger targets for hackers. The market is primed for an outfit like Sherlock that can neutralise hacking risk in DeFi.

Join the community to get our latest stories and updates

NOW READ: Hacker picks off $11m from old contract at Yearn Finance

“Sherlock’s belief is that in order to get crypto to mass adoption people need to feel safe putting their life savings into DeFi,” Sanford said. “You can never prove that a smart contract is 100% safe. So the next best thing you can do is try to make sure people get reimbursed when a hack happens.”

Pricing risk

Sherlock caught on with investors after it opened its staking pool in late 2021, quickly attracting $30 million in deposits.

“Sherlock’s business model is essentially an insurance-book,” 0xWenMoon, a DAO treasury manager active in the DeFi community, told DL News. “The name of the game is trying to make sure the premiums you charge exceed your payouts. However, the problem here is, to put it bluntly, I don’t think anyone can price risk in DeFi correctly as of yet.”

NOW READ: Do Kwon associate Han bought $2.2m flat in Belgrade during manhunt

Sherlock prefers not to be called an insurer because in some jurisdictions the term only applies to entities that have government funds backing them. Even so, the platform works similarly to its TradFi counterparts.

Sherlock audits prospective protocols with both community contributors and in-house “Watsons” — blockchain security experts who perform code audits.

‘You can never prove that a smart contract is 100% safe. So the next best thing you can do is try to make sure people get reimbursed when a hack happens.’

—  Jack Sanford

Based on the Watsons’ findings, Sherlock offers protocols coverage against code exploits for a premium. This is paid out to Sherlock stakers, who deposit USDC into a pool that settles claims for covered protocols when their code is exploited.

Stakers stand to lose up to half of their funds each time Sherlock pays out a claim, so it’s imperative that the audits properly assess the risk of a hack.

Users getting burned

But users who take up Sherlock’s offer are getting burned. One user who made deposits into Sherlock’s staking pool told DL News he had lost around 70% of his funds.

“It’s never going to function properly as an auditor,” the user said. “Protocols are paying pennies on the dollar for auditing while Sherlock downplays the risks to depositors.”

Posts in the Sherlock Discord server from other depositors paint a similar picture. Another user going by the name mydefid001 admitted to depositing $1,460 worth of USDC into Sherlock late last year. “Now it’s only showing me $400,” mydefid001 said.

Funds deposited into Sherlock's staking pool.

Meanwhile, Sherlock is under pressure to attract more depositors. To make staking more attractive, Sherlock started putting user-deposited funds from its staking pool into the lending protocol Maple Finance to generate additional yield for depositors.

This strategy backfired when crypto trading firm Orthogonal Trading, which had borrowed Sherlock’s funds through Maple, defaulted on its loans after suffering losses in FTX’s bankruptcy. This event resulted in a $4 million loss for Sherlock depositors.

Protocols hacked

An imbalance of premiums and paying claims, which has been the cornerstone of the insurance business for centuries, is at the heart of Sherlock’s woes.

Sherlock pays out around 19% annually to those depositing to its staking pool. On the other side of the equation, protocols pay Sherlock 3% of their covered amount. For example, a protocol that receives $2 million of coverage pays $60,000 every 12 months. Based on the 3% fee, the platform expects to pay out a claim on each protocol it covers approximately every 33.3 years.

When hackers this year exploited loopholes in two protocols Sherlock audited — Euler Finance and Sentiment — it became evident Sherlock had drastically underpriced its coverage at the expense of its depositors.

NOW READ: Euler hacker returns $176m of stolen funds amid ‘ongoing’ negotiations

“It’s dirt cheap compared to actual insurance,” one Sherlock depositor who wished to remain anonymous told DL News.

Sanford told DL News that the payments Sherlock charges anticipated a much less frequent occurrence of exploits. “After Euler and Sentiment, it’s become clear that the events are more frequent than expected,” he said.

Sherlock has increased its premiums, but Sanford said this may not be enough. “Sherlock will likely need to increase prices again,” he said.

‘I’ve been counting down the days till I can withdraw my remaining 30% and never think about that awful protocol again.’

—  Sherlock user

And it may also prove difficult for Sherlock to attract the new depositors it so desperately needs.

“I’ve been counting down the days till I can withdraw my remaining 30% and never think about that awful protocol again,” said the Sherlock depositor.

Unexpected relief

Meanwhile, Sherlock has received relief from unlikely sources — the Euler and Sentiment hackers.

“One caveat is that 90% of the funds from Sentiment were returned two days later,” Sanford said. “And it looks like there may be a recovery for Sherlock stakers when it comes to Euler as well.”

Whether Sherlock will be this fortunate if more protocols it covers are exploited remains to be seen.