> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rialto.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Model

> What Rialto's settlement contract guarantees around your swapExactIn call.

## Guarantees

* Allowlisted, single-function. The router can only RawCall the exact pair and
  swapExactIn selector that Rialto allowlists, no other function and no arbitrary
  calldata. A pair address allowlisted as a call target cannot also be a routable
  token, and vice versa.
* Output-verified. Settlement reverts unless the router's measured output-token
  balance increases by at least amountOutMin. You cannot be paid without
  delivering.
* Approvals are scoped and revoked. The router approves exactly amountIn and resets
  to 0 around each call, so a stale or oversized allowance cannot be drained later.
* You hold your own inventory and risk. Rialto never custodies your funds; your
  contract prices and fills from its own balances. Your getAmountOut is your price;
  your swapExactIn is your fill.
