# Programmable Risk & Circuit Breakers

Fusion offers a multi-layered security framework that automates risk management through **risk surface enumeration**.

## **Market Allocation Limits**

The system enforces maximum exposure caps per market. These limits are enforced at the smart contract level; if an operation would breach a cap, the transaction is rejected automatically.

## **Substrate-Based Allowlists**

Access is restricted at the most granular level. An Atomist must explicitly grant permission for specific token addresses or market/pool identifiers ("[**Substrates**](https://app.gitbook.com/s/oaErR6oxxmjeJRJYOuXH/atomists/vault-configuration-step-by-step/substrates)**"**) before the vault can interact with them.

## **Automated Circuit Breakers (Pre-Hooks)**

"Pre-Hooks" act as automatic circuit breakers that run immediately before any core vault operation. Some examples include:

* **Price Freshness & Volatility:** Automatically reverts transactions if oracle data is stale or if asset prices have fluctuated beyond acceptable thresholds.
* **NAV Integrity Protections:** Prevents transactions that would result in abnormal NAV shifts, protecting the vault against sandwich attacks or oracle manipulation.

## **Emergency Levers (Panic & Pause)**

The protocol includes a suite of manual circuit breakers designed for rapid response:

* **Global & Functional Pause:** The Guardian or Owner can halt specific functions (e.g., deposits, strategy execution) or pause the entire vault. This effectively freezes the mandate’s state during periods of high uncertainty.
* **Transactional Veto Power:** In the multi-step "Scheduled Redemption" flow, the Guardian has the authority to cancel pending requests before they reach the "Released" state. This serves as a critical stop-gap if a withdrawal request is deemed malicious or if market conditions make the exit detrimental to the remaining pool.
* **Market-Specific Halting:** Curators can instantly revoke a specific Fuse's permission, effectively cutting off interaction with a failing protocol while keeping the rest of the vault’s operations intact.