Onchain Risk Rails

Every trade instruction includes the requested leverage. The program compares this against your vault's configured maximum. If the requested leverage exceeds the cap, the instruction reverts. No trade happens.

The program checks that the proposed position size (in USD) doesn't exceed the maximum allowed. This prevents a malicious or buggy relayer from opening disproportionately large positions.

Each trade includes a maximum acceptable slippage. If the oracle price at execution time has moved too far from the signal price, the trade reverts. Default is 2%, enough for normal conditions, tight enough to prevent bad fills.

Every trade signal includes a unique nonce (number used once). The program records each nonce and rejects any signal with a previously seen nonce. This prevents the same trade from being submitted twice, whether by accident or by attack.

The program only allows Cross-Program Invocations to the real Jupiter Perpetuals program. The Jupiter program ID is hardcoded into Amyth's onchain program. The relayer cannot redirect trade execution to a different (malicious) program. This is the most critical rail: it prevents fund redirection entirely.