Contracts: Add security audit preparation — natspec, invariants, and threat model doc

[CelestinaBeing]

Summary

Before deploying to mainnet with real value at stake, the contracts need to be prepared for a formal external security audit. This means: complete NatSpec/doc comments, documented invariants, and a threat model doc that auditors can use to scope their work efficiently.

Problem

• Inline doc comments are present but inconsistent — some functions have no docs
• No formal statement of contract invariants (what must always be true)
• No threat model documenting trusted roles, attack surfaces, and known limitations
• Without these, an external audit will be slower, more expensive, and may miss context-specific issues

Acceptance Criteria

NatSpec / Rust doc comments

• All public functions in contracts/rewards/src/lib.rs and contracts/campaign/src/lib.rs have complete /// doc comments with: @param, @returns, @emits, @errors sections
• All error variants in the Error enums are documented with when they're returned

Invariants document

• Create contracts/INVARIANTS.md documenting:
  • Rewards: sum(all balances) + total_claimed == sum(all credits ever)
  • Rewards: balance(user) >= 0 always (enforced by u64 semantics)
  • Campaign: participant_count <= max_cap when max_cap > 0
  • Campaign: participant_count only increments, never decrements
  • Both: only admin can call admin-only functions

Threat model

• Create docs/THREAT_MODEL.md covering:
  • Trusted roles (admin key holder)
  • Attack vectors: admin key compromise, Soroban RPC manipulation, replay attacks, TTL expiry
  • Known limitations and accepted risks
  • Out-of-scope (Stellar network-level attacks)

References

• contracts/rewards/src/lib.rs
• contracts/campaign/src/lib.rs
• docs/

[aymide1ee]

@aymide1ee has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would love to work on this issue.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @aymide1ee to this issue.

[pugsleyonesimus-dev]

@pugsleyonesimus-dev has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Can I work here please

ℹ️ Repo Maintainers: To accept this application, review their application or assign @pugsleyonesimus-dev to this issue.

[Malcolm-Wander]

@Malcolm-Wander has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello maintainer,I’d love to work on this issue…thank you in advance🙏🏽

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Malcolm-Wander to this issue.

[roycebtx]

@roycebtx has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @roycebtx to this issue.

[prodbycorne]

@prodbycorne has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would like to work to on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @prodbycorne to this issue.

[drips-wave]

Congratulations, @prodbycorne! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @prodbycorne: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @prodbycorne as part of the Stellar Wave Program's 5th Wave 🥳

😎 @prodbycorne: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.