FiRM Security & Safety

FiRM implements defense-in-depth security through six distinct protective mechanisms: Personal Collateral Escrows isolate positions, Pessimistic Price Oracles use conservative valuations, Borrow Limits prevent manipulation, Contract Whitelisting blocks exploits, Staleness Thresholds guard against oracle failures, and continuous Risk Working Group oversight manages evolving threats.

Risk Working Group Oversight

FiRM's security architecture is continuously evaluated and enhanced by the Risk Working Group (RWG), a team of risk management specialists who analyze protocol vulnerabilities, propose parameter adjustments, and develop frameworks for safe collateral onboarding.

The RWG publishes detailed security assessments, collateral risk analyses, and parameter recommendations in the Risk Working Group Digest. This transparency allows the community to understand the reasoning behind security decisions and participate in governance discussions about risk management.

Personal Collateral Escrows (PCE)

Every FiRM position is isolated in its own Personal Collateral Escrow—a dedicated smart contract that holds only your collateral for one specific token type. This architecture provides critical security and functionality advantages over traditional pooled lending systems.

How PCE Works

When you deposit collateral on FiRM, the protocol deploys a new smart contract escrow specifically for you and that token. Your WETH goes into a separate escrow from your INV position. Your escrow is completely separate from other users' escrows. No sharing, no pooling, no cross-contamination.

Contained exploit risk: If an attacker finds a vulnerability in a specific collateral type's escrow implementation, only positions in that collateral type are at risk. Your other positions using different collateral remain completely safe. Compare this to pooled systems where exploiting one asset's oracle could drain the entire protocol. A compromised WETH market cannot affect your CVX market, your INV market, or any other position you hold.

Functional Benefits Beyond Security

Governance rights preservation: PCE enables staking governance tokens as collateral while retaining voting rights. Your CVX in your personal escrow can vote on Curve proposals. Your INV continues earning staking rewards and governance participation. Traditional lending requires you to forfeit these rights when depositing.

No rehypothecation: Your collateral in your PCE is never lent to others, never used for protocol operations, never deployed in strategies without your explicit consent. It sits in your escrow until you withdraw it after repaying debt.

Simplified position tracking: Each escrow holds one token type for one user. No complex accounting across pooled positions. No wondering if protocol-wide issues affect your specific collateral. Just check your personal escrows to understand exact positions.

Pessimistic Price Oracles (PPO)

FiRM's Pessimistic Price Oracles evaluate collateral using the lower of two values: the current Chainlink price and a 48-hour trailing low price, adjusted by the collateral factor. This conservative approach protects against flash loan manipulation and temporary price spikes while providing stability for long-term borrowers.

PPO uses a two-step process to determine your collateral's borrowing value:

Protection Against Manipulation

Flash loan resistance: Attackers cannot pump an asset's price for a single block or transaction to extract more borrowing capacity. PPO ignores momentary spikes because the 48-hour low anchors valuations to sustained price levels. Even if someone manipulates wETH to $2,000 for one block, PPO still uses the 48-hour low of $1,000.

Pump-and-dump immunity: Coordinated pumps that briefly inflate prices cannot be exploited for over-borrowing. By the time an asset's price pumps sustainably enough to raise the 48-hour low, the manipulation window has passed and costs become prohibitive.

Oracle failure safety: If Chainlink experiences issues and reports incorrect prices temporarily, the 48-hour low provides a fallback anchor preventing extreme over-valuations. The conservative approach means FiRM errs toward undervaluing collateral rather than overvaluing it.

Borrow Limits

FiRM implements two types of borrow limits that work together to prevent manipulation, ensure efficient liquidations, and provide fair access across all timezones.

Minimum Debt Amount

Each market enforces a minimum debt threshold per user. You cannot borrow less than this minimum amount in any single position.

Why minimums exist: Tiny borrow positions create inefficiency in liquidation systems. If someone borrows $10 of DOLA, liquidating that position costs more in gas fees than the debt itself. Attackers could create thousands of small positions to clog liquidation queues, preventing healthy positions from being efficiently managed during market stress.

Griefing prevention: Minimum debt requirements curtail malicious strategies where attackers open many small positions to disrupt protocol operations. Each position must represent meaningful economic value that justifies the computational overhead of managing it.

Efficient capital allocation: Higher minimums encourage borrowers to consolidate into fewer, larger positions rather than fragmenting across many small ones. This improves protocol efficiency and reduces governance overhead in managing parameters.

Rolling 24-Hour Borrow Limit

Instead of resetting daily limits at a fixed time (e.g., midnight UTC), FiRM employs a continuously replenishing cap over a 24-hour rolling window. This prevents exploitation while ensuring fair access regardless of timezone.

How rolling limits work: Each market has a maximum amount that can be borrowed in any 24-hour period. As time passes, the oldest borrows "expire" from the window and capacity replenishes. If someone borrows 1M DOLA at 3:00 PM today, that capacity becomes available again at 3:00 PM tomorrow.

Preventing reset exploitation: Fixed-time resets create arbitrage opportunities where sophisticated users borrow maximum amounts right before reset, then immediately borrow again after reset, effectively doubling access. Someone could borrow 1M DOLA at 11:59 PM, then another 1M at 12:01 AM, bypassing daily limits. Rolling windows eliminate this loophole.

Fair global access: Users in different timezones have equal access to borrow capacity. Asian users aren't disadvantaged because reset happens during their night hours. European users don't get first access every morning. Capacity replenishes continuously based on when previous borrows occurred.

Contract Address Whitelist

To mitigate flash loan exploits and atomic manipulation attempts, FiRM allows only whitelisted contracts to borrow DOLA at the Borrow Controller level. Any address can deposit collateral, but borrowing is restricted to EOAs (Externally Owned Accounts and pre-approved smart contracts. FiRM's implementation includes protection against EIP-7702 delegated contract calls introduced in Ethereum's Pectra upgrade. This ensures that even with new Ethereum features allowing EOAs to temporarily act like contracts, FiRM's security model remains intact.

Protection Mechanisms

Flash loan blocking: Flash loans typically execute within single transactions where contracts borrow assets, manipulate markets, repay loans, and extract profits atomically. By restricting borrowing to whitelisted addresses, FiRM prevents attackers from using flash-borrowed collateral to manipulate FiRM's markets within the same transaction.

Reentrancy prevention: The whitelist works alongside checks like tx.origin == msg.sender (ensuring the caller is the ultimate transaction originator) and msg.sender.code.length == 0 (verifying the caller isn't a contract) to block unauthorized reentrancy attacks where contracts call back into FiRM during execution to manipulate state.

Legitimate Contract Integration

Approval process: Protocols wanting to integrate FiRM borrowing into their smart contracts can propose whitelist additions through governance. All whitelisted contracts are publicly visible on-chain and documented in governance proposals, allowing users to understand which contracts have borrowing privileges and why.

Examples of whitelisted contracts: Yield aggregators that automate FiRM borrowing as part of larger strategies, protocol-owned liquidity managers that borrow DOLA for specific purposes, or advanced position management tools that help users optimize their borrows.

Staleness Threshold

FiRM safeguards against oracle disruptions and stale price data by enforcing a staleness threshold: if price feeds fail to update within a governance-defined timeframe, new borrows are temporarily blocked until fresh prices become available.

If Chainlink or other oracle providers experience outages, their last reported price might become increasingly inaccurate as real market prices diverge. An attacker could exploit stale prices to borrow against overvalued collateral. Staleness thresholds prevent this by halting borrows when data is questionable.

Every collateral market on FiRM has a maximum allowed age for price data, typically set between 1-24 hours depending on the asset's oracle characteristics. Before allowing a borrow transaction, FiRM checks when the oracle last updated.

If price is fresh (updated recently): Borrowing proceeds normally.

If price is stale (hasn't updated within threshold): New borrows are rejected with an error. Existing positions remain unaffected—you can still add collateral or repay debt, just not increase debt.

Borrowing automatically resumes once oracles update. No governance action needed; the system self-heals when data becomes available again.

Using FiRM Safely

While FiRM implements multiple security layers, you should still follow best practices to protect your positions:

Start conservatively: Use well-below maximum collateral factors for your first positions. Borrow at 60-70% even when markets allow 82%. This gives you room to learn while maintaining safety margins.

Diversify collateral types: Don't concentrate all borrowing in one market. Spread across multiple collateral types to benefit from PCE isolation.

Monitor oracle health: Stay informed about Chainlink and oracle provider status. Major outages might temporarily restrict borrowing through staleness thresholds.

Understand your collateral: Research underlying protocols for yield-bearing assets. sUSDe security depends on Ethena, Yearn vaults depend on vault strategies. Know the dependency chain.

Keep emergency capital: Maintain extra collateral or DOLA available to quickly respond to market movements or position deterioration.

Follow governance: Security parameters can change via governance votes. Stay informed about proposals affecting borrow limits, staleness thresholds, or whitelist additions.

Learn More

Understand other FiRM safety features:

• FiRM Liquidations & Replenishments - How liquidation works and how to avoid it

• FiRM Collateral Guide - Risk profiles of different collateral types

• Advanced FiRM Features - Optimization strategies with safety in mind

Deep dive into risk management:

• Risk Working Group Digest - Detailed risk assessments and parameter recommendations

• Audits - Full security audit reports

• Bug Bounty - Report vulnerabilities responsibly

Get help:

• FiRM FAQs - Common security questions answered

• Discord - Report concerns or ask questions