FiRM and Inverse Finance does not custody any funds from FiRM users. All user funds are held in Personal Collateral Escrow contracts controlled by the user and are isolated both by individual user and by token type. This means that FiRM takes a step beyond shared pools of user collateral, commonly found in protocols like Compound Finance or Aave. The PCE’s are highly flexible which allows for individual collateral factors and borrowing limits per token and per position.
While no lending protocol is completely immune to hacks, PCE’s were designed to enable multiple new layers of security. First, by isolating deposits in such a granular fashion compared to cross-collateral pools, PCE’s no longer offer intruders a single pool of assets to target but rather many, smaller targets. Second, with a PCE a depositor’s collateral cannot be loaned. As the only borrowable asset in Inverse Finance’s implementation of PCE’s is DOLA and since borrowable DOLA is capped per collateral asset, the potential impact of a price oracle manipulation incident is reduced to an undue liquidation.
Pessimistic Price Oracles
This new approach to price oracles for borrows and liquidations in FiRM uses the lower of two recorded prices: either a) the current collateral price on Chainlink, or b) the 48-hour low price as observed by the PPO on Chainlink, divided by the collateral factor. For example, if the current Chainlink price for wETH is $1,500, the 48-hour low was $1,000 and the collateral factor is 80%, the PPO returns $1,250. ($1,000 / .80 = $1,250)
Attackers who rely on flash loans and other short-term techniques will be frustrated by the implementation of PPO’s.
First, using the 48-hour low price minimizes the risk of FiRM allowing borrows against a rapidly and artificially inflated collateral asset price.
Second, dividing the 48-hour low price by the collateral factor creates a bias for more conservatism with volatile collateral and more freedom for less volatile collateral like stablecoins.
Finally, the PPO provides greater protection for FiRM along with its other security features such as preventing users from borrowing against more than the lowest recorded value of their collateral over the prior two days. Daily borrow limits curtail the amount of funds at risk and user collateral is not pooled but held separately in an entirely non-custodial way.
Protocol Safety
The PPO reduces the probability of short-term and flash-loan type oracle price manipulation attacks.
Many oracle price manipulations occur due to low liquidity in a market. For tokens with low liquidity, we believe PPO’s offer a useful tool for lenders and borrowers.
Healthier Borrowing
For those engaged in high-frequency arbitrage or impulse trading, especially with volatile assets, PPO’s may not be ideal. However for long-term borrowers, the target market for FiRM, PPO’s provide added safety for both borrowers and Inverse Finance.
Flexible
The PPO’s observation window can be adjusted over time in either direction, as can collateral factors.
Daily Borrow Limits
A daily borrow limit sets a ceiling on the total amount of DOLA available for loans on any given day in each market. A daily borrow limit helps Inverse reduce its risk exposure on a per-market basis and in the future will allow for the support of more high-risk collateral assets and even PCE’s with customized borrow limits. This limit is adjusted regularly by the RWG as the system matures.
Contract Address Whitelist
A contract address whitelist is a list of approved contract addresses that are allowed to interact with a particular smart contract. This is often used as a security measure to prevent unauthorized contracts from accessing or modifying the data or functionality of the whitelisted contract.
As a precaution against flash loan attacks, FiRM only allows whitelisted contract interactions. This allows regular user wallets to interact while it at the same time limits any automated attacks, forcing any attacker to be extremely well-capitalized. Flashloan attacks require contract interactions and are therefore impossible. This prevents single-transaction attacks like the one Euler suffered, but also makes it more of a hassle for other protocols to integrate with FiRM, as they will need to contact us for a whitelisting. We consider this a worthy trade-off.
