Sherlock - Comprehensive Security Partnership

Proposals
1

Summary

At Sherlock, our mission is to provide unparalleled security services through a scalable decentralized model and exceptional expertise. We understand the critical importance of robust security and are committed to offering Compound Finance a comprehensive security partnership and helping build an active security community around the protocol. Our proposal encompasses audits, security advisory, educational content, code bootcamps, threat detection and monitoring, incident response, and exploit/bug bounty coverage. Our decentralized model and scalable pool of security researchers allow us to operate with speed and efficiency, ensuring that security is never a bottleneck to growth and innovation at Compound.

Background

Sherlock is a leading security company dedicated to safeguarding Web3 through its revolutionary audit contests, where the world’s top security researchers compete to identify vulnerabilities in users’ code bases. Our unique approach combines the meticulous focus and collaboration of traditional audits with the extensive participation of security experts from our audit contests, creating a “best of both worlds” solution.

Our extensive experience and proven success are highlighted by:

  • Over 175 audits completed with a 97.8% success rate of finding at least a Medium-severity vulnerability.
  • Over $1.5mm awarded to Sherlock to manage multiple security grant programs by some of the largest protocols.
  • We are executing the largest audit contest in history this July for $1.35mm, with details to be announced soon.
  • Multiple case studies highlighting the effectiveness and efficiency of our services:

Sherlock’s consistent track record of exceeding expectations has fueled high demand for our audits, supported by the number of projects that return for a second audit after their initial success. Here are a few of our valued customers:

sherlock_customers
sherlock_customers1920×1080 67.7 KB

How Sherlock Adds Value to Compound

The Effectiveness of our Security Services

At Sherlock, we pride ourselves on delivering highly effective security services that ensure comprehensive protection for our partners. Sherlock consistently finds more critical/high-severity bugs in less time than other audits. In addition, our extensive network of security researchers provides us with a flexible talent pool, ensuring we can allocate the best expertise for any specific security issue.

Speed and Responsiveness

Sherlock’s scalable and decentralized model ensures unparalleled speed and responsiveness in delivering our services.

  • Our contest audit model accelerates the auditing process, with hundreds of security professionals reviewing code. The competition among researchers drives efficiency and reduces time-to-completion.
  • With access to a vast network of curated and ranked security experts, we can quickly scale our resources to meet any demand. Whether it’s a critical security advisory request or an urgent incident response, we have the right professionals ready to respond immediately.

Building and Growing a Robust Security Community

Sherlock’s approach goes beyond providing immediate security solutions; we aim to foster a thriving security community around Compound. This community-driven model adds significant value in the following ways:

  • By involving a large number of security professionals in our comprehensive partnership, we create a community of experts who are deeply familiar with Compound’s protocol. This collective knowledge base continuously grows, leading to more effective and proactive security measures.
  • Our comprehensive educational offerings, including code bootcamps and walkthroughs, ensure that both existing and new members of the Compound community are well-versed in best security practices. This ongoing education helps to cultivate a security-first mindset among all stakeholders.

Proposal Scope

Following are the services that Sherlock will provide and the resources allocated to provide these services:

Resource Allocation & Headcount

  • Dedicated Senior Watsons: Sherlock will dedicate 12 Senior Watson weeks (top-ranked security professionals on Sherlock’s platform) per quarter to respond to any security requests as needed.
  • On-Call Resources: Sherlock will reserve 10 other top-performing, Compound-familiar security experts ready on any given week to thoroughly review any code changes from multiple angles in a competitive setup.
  • Project Manager: Compound will be assigned a dedicated Project Manager to serve as their primary point of contact for any needs. Project Manager will provide status updates, communication, logistics, project updates, resource triage, and response to requests. The Project Manager will also communicate with the Compound community via forum posts.
  • Sherlock Security Team: Compound will have access to Sherlock’s two in-house security professionals as-needed to respond to security requests.
  • Sherlock Scoping and Operations Teams: Compound will have access to Sherlock’s dedicated scoping and operations teams on an ongoing basis.

Our combination of in-house Sherlock personnel along with access to a scalable pool of security experts allows us to provide comprehensive service without sacrificing speed or efficiency.

Thanks to our extensive pool of top-tier security professionals and our robust database of each individual’s skills & experience, we provide comprehensive solutions to offer end-to-end security coverage, including:

Ongoing Audits & Code Reviews

One of the primary reasons so many projects elect to trust Sherlock with their codebase security lies in the superior quality and comprehensive nature of our audit contests that make us the optimal choice for protocol security. In head-to-head scenarios, Sherlock’s groundbreaking audit contests have proven significantly more effective, finding more vulnerabilities than competitors in less time.

This is due to our “best of both worlds approach”, combining the focus, collaboration, and assurance of a traditional audit with the extensive participation of security experts from an audit contest.

We achieve this through our proprietary Leaderboard, which, unlike other platforms, is based on performance, not participation. The skill of security researchers is calculated using an ELO-style ranking system (used in chess and other competitive sports/games), meaning that to climb the leaderboard, auditors must outperform higher-rated individuals.

Additionally, each Sherlock contest includes at least one Lead Senior Watson (Top 30 on the leaderboard) and one or multiple Watsons from the Top 150, chosen based on their leaderboard position and relevant experience with similar protocols. The Lead Senior Watson’s fixed role ensures that each contest will have at least one expert auditor reviewing the codebase, consulting the protocol team, and conducting a complimentary half-day fix review to ensure any fixes have been implemented. They earn fixed pay for leading the contest along with the ability to compete for the entire prize pool.

The Senior Watson only keeps their “senior” status as long as they outperform the other auditors in the field, pushing them to give maximum effort. This incentive alignment and proprietary ranking system are the core of Sherlock’s model and drive the superior results we produce.

Proposal Reviews & Assistance

Sherlock personnel will provide proposal reviews and assistance with a focus on identification of any potential risk conditions that may exist. Sherlock’s dedicated Compound Project Manager will triage proposals, enlist the appropriate personnel, provide status updates and communication, and field requests and questions from the DAO and community. Sherlock personnel will communicate with proposal submitters or other stakeholders in their preferred communication manager (Telegram, Slack, etc.). The Compound Project Manager will ensure communication with the broader community on the Compound Forums as needed.

Security Advisory & Dedicated Security Team

Sherlock provides a full suite of advisory services tailored to Compound’s specific needs. We offer:

  • Risk Assessments: Identifying potential threats and vulnerabilities across attack surfaces.
  • Strategic Guidance: Helping Compound develop and implement robust security strategies.

Educational Content & Code Bootcamps

  • Educational Offerings: Forum post explainers, security primers, blog posts, and other security-oriented walkthroughs.
  • Code Bootcamps: Sherlock will livestream a code walkthrough to promote increased security researcher participation and education.

Live Code Walkthrough (Compound)
Live Code Walkthrough (Compound)1600×900 94 KB

Bug Bounty Management & Exploit Coverage

  • Bug Bounty Management: Sherlock will collaborate with Compound to help manage the existing bug bounty program.
  • Coverage: Sherlock will help onboard Compound to its bug bounty and exploit coverage program to provide additional protection. Please find additional details here.

Threat Detection & Monitoring

  • Sherlock will develop systems and procedures for threat detection and alerting.
  • Solutions for monitoring smart-contracts in real-time will be developed and implemented.

Fee Structure & Term

  • 3Q24: $850,000 payable in COMP or USDC, invoiced monthly.
  • Term: 3-month trial period.

Conclusion

Sherlock is thrilled about the opportunity to partner with Compound and continue to enhance security for the ecosystem. Our mission is to provide unparalleled security services through a scalable decentralized model and exceptional expertise.

Our proposal encompasses a broad range of security services intended to elevate the security posture of the entire ecosystem and to provide a true collaborative partnership for Compound. Our decentralized model and scalable pool of security researchers allow us to operate with speed and efficiency, ensuring that security is never a bottleneck to growth and innovation at Compound.

Key Differentiators

  • Effectiveness of Our Security Services: We pride ourselves on delivering highly effective security services that provide comprehensive protection. Sherlock consistently finds more critical/high-severity bugs in less time than other security firms. In addition, our extensive network of security researchers provides us with a flexible talent pool, ensuring we can allocate the best expertise for any specific security issue.
  • Responsive and Efficient: Our combination of in-house staff along with our scalable network of security experts, all coordinated with a dedicated project manager, allow us to respond quickly and efficiently to any request.
  • Focus on Community: We believe that fostering the growth of the broader security community around Compound adds significant value by cultivating security knowledge and a security-first mindset among all stakeholders.