Risk limits the program enforces, not your frontend

Most "max leverage" sliders are a few lines of validation in a request handler. They hold until someone adds a new order path, mocks the check in a test that ships, or a bot finds an endpoint that skips it. The cap is only as strong as the weakest call site.

zKmex stores each account's risk parameters in a Program Derived Address and evaluates them inside the order instruction. Max leverage, max notional per market, and the maintenance margin ratio are read from the PDA and checked before any fill commits. There is no off-chain path that bypasses it.

Because risk is on-chain, it is also auditable. Anyone can read the constraints an account trades under, and a change to those constraints is itself a transaction with a signer and a slot. Risk becomes a first-class, verifiable object instead of a config flag.

In the app you can set a 24x cap, then try to open at 60x. The program rejects it with a typed reason — the same reason your bot would receive in production.