Vault: reorder deposit to checks-effects-interactions before token transfer

[greatest0fallt1me]

Description

In CalloraVault::deposit (contracts/vault/src/lib.rs), the USDC token::transfer happens before the tracked meta.balance is updated and persisted. While Soroban's host model limits classic reentrancy, ordering state effects after an external token call is a reentrancy-equivalent footgun if the configured token is a malicious/custom SAC. Apply a strict checks-effects-interactions ordering and document the assumption.

Requirements and Context

• Compute and validate the new balance, write MetaKey to storage, then perform the external transfer.
• If the transfer can fail, ensure the state write is not left committed on a panicking transfer (Soroban reverts the whole tx on panic — document this guarantee).
• Add a code comment referencing the CEI ordering decision.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b bug/vault-deposit-cei-ordering

2. Implement changes
   • contracts/vault/src/lib.rs — reorder effects vs interaction in deposit
   • Add /// note on the reentrancy-equivalent assumption
3. Test and commit
   • cargo test -p callora-vault
   • Add a test with a token mock asserting balance and on-ledger state stay consistent on transfer failure
   • Include test output and notes in the PR

Example commit message

fix: enforce checks-effects-interactions ordering in vault deposit

Acceptance Criteria

• State validated and ordering documented before external transfer
• Transfer-failure test confirms no inconsistent state
• deposit retains correct event payload (amount, new_balance)
• No regression in existing deposit tests

Guidelines

• .rs under contracts/vault/src/, cargo test, /// docs, minimum 95% line coverage, no unwrap() in prod paths
• Clear documentation and inline comments
• Timeframe: 96 hours

[anoncon]

@anoncon has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi
I’d like to work on this issue if it’s available. I’m a full-stack Web2 & Web3 developer with solid open-source experience and can start working on it right away.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @anoncon to this issue.

[drips-wave]

Congratulations, @anoncon! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @anoncon: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊