FiRM is Inverse Finance's flagship lending protocol that offers fixed-rate borrowing. Unlike variable-rate markets, where interest rates fluctuate based on market dynamics, FiRM ensures borrowers secure loans with fixed interest rates of any duration. This certainty attracts a broader range of users, including those who prefer traditional financial products with stable costs. FiRM supports various collateral types, each with specific parameters tailored to its risk profile.
Security is paramount in FiRM, featuring multiple layers of protection for users. These include...
Personal Collateral Escrows
FiRM and Inverse Finance does not custody any funds from FiRM users. All user funds are held in Personal Collateral Escrow (PCE) contracts controlled by the user and are isolated both by individual user and by token type. This means that FiRM takes a step beyond shared pools of user collateral, commonly found in protocols like Compound Finance or Aave. The PCE’s are highly flexible which allows for individual collateral factors and borrowing limits per token and per position.
Moreover, PCEs enable users to stake their assets and custody sTOKENS, such as staked versions of tokens that accrue rewards. The FiRM user is delegated the associated sTOKEN roles and permissions, such as voting or claiming rewards. This means users retain all the benefits of their staked assets, including governance participation and reward collection, while using them as collateral within FiRM.
While no lending protocol is completely immune to hacks, PCE’s were designed to enable multiple new layers of security:
Isolation of Deposits: By isolating deposits in such a granular fashion compared to cross-collateral pools, PCE’s no longer offer intruders a single pool of assets to target but rather many, smaller targets.
Non-Lending of Collateral: With a PCE, a depositor’s collateral cannot be loaned. As the only borrowable asset in Inverse Finance’s implementation of PCE’s is DOLA, and since borrowable DOLA is capped per collateral asset, the potential impact of a price oracle manipulation incident is reduced to an undue liquidation.
Pessimistic Price Oracles
This new approach to price oracles for borrows and liquidations in FiRM uses the lower of two recorded prices: either a) the current collateral price on Chainlink, or b) the 48-hour low price as observed by the PPO on Chainlink, divided by the collateral factor. For example, if the current Chainlink price for wETH is $1,500, the 48-hour low was $1,000 and the collateral factor is 80%, the PPO returns $1,250. ($1,000 / .80 = $1,250)
Attackers who rely on flash loans and other short-term techniques will be frustrated by the implementation of PPO’s.
First, using the 48-hour low price minimizes the risk of FiRM allowing borrows against a rapidly and artificially inflated collateral asset price.
Second, dividing the 48-hour low price by the collateral factor creates a bias for more conservatism with volatile collateral and more freedom for less volatile collateral like stablecoins.
Finally, the PPO provides greater protection for FiRM along with its other security features such as preventing users from borrowing against more than the lowest recorded value of their collateral over the prior two days. Daily borrow limits curtail the amount of funds at risk and user collateral is not pooled but held separately in an entirely non-custodial way.
Protocol Safety
The PPO reduces the probability of short-term and flash-loan type oracle price manipulation attacks.
Many oracle price manipulations occur due to low liquidity in a market. For tokens with low liquidity, we believe PPO’s offer a useful tool for lenders and borrowers.
Healthier Borrowing
For those engaged in high-frequency arbitrage or impulse trading, especially with volatile assets, PPO’s may not be ideal. However for long-term borrowers, the target market for FiRM, PPO’s provide added safety for both borrowers and Inverse Finance.
Flexible
The PPO’s observation window can be adjusted over time in either direction, as can collateral factors.
Daily Borrow Limits
A daily borrow limit sets a ceiling on the total amount of DOLA available for loans on any given day in each market. A daily borrow limit helps Inverse reduce its risk exposure on a per-market basis and in the future will allow for the support of more high-risk collateral assets and even PCE’s with customized borrow limits. This limit is adjusted regularly by the RWG as the system matures.
Contract Address Whitelist
A contract address whitelist is a list of approved contract addresses that are allowed to interact with a particular smart contract. This is often used as a security measure to prevent unauthorized contracts from accessing or modifying the data or functionality of the whitelisted contract.
In FiRM, as a precaution against flash loan attacks, contracts are restricted from borrowing unless they are whitelisted at the Borrow Controller level. This means that while contracts can interact with FiRM for actions such as depositing collateral, they are restricted from borrowing DOLA unless explicitly permitted. This approach allows regular user wallets and trusted contracts to interact while limiting automated attacks, forcing any attacker to be extremely well-capitalized.
Flash Loan Protection: Flash loan attacks require contract interactions for borrowing and are therefore impossible unless the contract is whitelisted. This prevents single-transaction attacks like the one Euler suffered.
Integration Trade-Offs: While this security measure enhances protection, it also requires other protocols wishing to integrate with FiRM to contact us for whitelisting if they need borrowing capabilities. We consider this a worthwhile trade-off for the increased security it provides.
