fix(settlement): safe i128 balance updates and rename

Author: Agbasimere

Cargo.toml

@@ -1,6 +1,6 @@
 [workspace]
 resolver = "2"
-members = ["contracts/vault", "contracts/revenue_pool"]
+members = ["contracts/vault", "contracts/settlement"]
 
 [workspace.dependencies]
 soroban-sdk = "22"

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Checked Arithmetic
+
+All smart contracts in this repository are developed with a "no silent wrap" policy for balance updates. 
+
+### Implementation
+
+- We use `checked_add` and `checked_sub` for all `i128` balance mutations.
+- In the event of an overflow or underflow, the contract will immediately panic with a descriptive message (e.g., `"balance overflow"`, `"total amount overflow"`), causing the transaction to revert.
+- The `overflow-checks = true` setting is enabled in `Cargo.toml` for both `dev` and `release` profiles as an additional safety layer, though explicit checked arithmetic is preferred for clarity and deterministic error messages.
+
+### Affected Contracts
+
+- **`callora-vault`**: `balance` increases during `deposit` and decreases during `deduct`.
+- **`callora-settlement`**: Handles distribution of revenue to developers.
+
+## Reporting a Vulnerability
+
+If you find a security issue, please do not open a public issue. Instead, contact the maintainers at security@callora.org.

contracts/revenue_pool/Cargo.toml contracts/settlement/Cargo.tomlcontracts/revenue_pool/Cargo.toml renamed to contracts/settlement/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "callora-revenue-pool"
+name = "callora-settlement"
 version = "0.0.1"
 edition = "2021"
 publish = false

contracts/revenue_pool/src/lib.rs contracts/settlement/src/lib.rscontracts/revenue_pool/src/lib.rs renamed to contracts/settlement/src/lib.rs

@@ -9,10 +9,10 @@ const ADMIN_KEY: &str = "admin";
 const USDC_KEY: &str = "usdc";
 
 #[contract]
-pub struct RevenuePool;
+pub struct Settlement;
 
 #[contractimpl]
-impl RevenuePool {
+impl Settlement {
     /// Initialize the revenue pool with an admin and the USDC token address.
     ///
     /// # Arguments

contracts/revenue_pool/src/test.rs contracts/settlement/src/test.rscontracts/revenue_pool/src/test.rs renamed to contracts/settlement/src/test.rs

@@ -15,9 +15,9 @@ fn create_usdc<'a>(
     (address, client, admin_client)
 }
 
-fn create_pool(env: &Env) -> (Address, RevenuePoolClient<'_>) {
-    let address = env.register(RevenuePool, ());
-    let client = RevenuePoolClient::new(env, &address);
+fn create_pool(env: &Env) -> (Address, SettlementClient<'_>) {
+    let address = env.register(Settlement, ());
+    let client = SettlementClient::new(env, &address);
     (address, client)
 }
 

contracts/vault/src/lib.rs

@@ -134,7 +134,7 @@ impl CalloraVault {
         );
 
         let mut meta = Self::get_meta(env.clone());
-        meta.balance += amount;
+        meta.balance = meta.balance.checked_add(amount).expect("balance overflow");
         env.storage().instance().set(&StorageKey::Meta, &meta);
         meta.balance
     }
@@ -143,7 +143,7 @@ impl CalloraVault {
     pub fn deduct(env: Env, amount: i128) -> i128 {
         let mut meta = Self::get_meta(env.clone());
         assert!(meta.balance >= amount, "insufficient balance");
-        meta.balance -= amount;
+        meta.balance = meta.balance.checked_sub(amount).expect("balance underflow");
         env.storage().instance().set(&StorageKey::Meta, &meta);
         meta.balance
     }

contracts/vault/src/test.rs

@@ -189,3 +189,16 @@ fn deposit_after_depositor_cleared_is_rejected() {
     // Depositor should no longer be able to deposit
     client.deposit(&depositor, &50);
 }
+
+#[test]
+#[should_panic(expected = "balance overflow")]
+fn deposit_overflow_panics() {
+    let env = Env::default();
+    let owner = Address::generate(&env);
+    let contract_id = env.register(CalloraVault {}, ());
+    let client = CalloraVaultClient::new(&env, &contract_id);
+
+    client.init(&owner, &Some(i128::MAX));
+    env.mock_all_auths();
+    client.deposit(&owner, &1);
+}