Docs: vault external call ordering analysis (token interactions)

[greatest0fallt1me]

Description

Write an analysis of ordering for storage updates vs token transfers for deposit/deduct/withdraw flows under Soroban execution semantics.

Requirements and context

• Identify any reentrancy-like risks at the token interface boundary.
• Code changes only if a concrete issue is found.

Suggested execution

• Fork the repo and create a branch: git checkout -b docs/vault-external-calls
• Implement changes in the Callora-Contracts Soroban workspace (contracts/*/src/).
• Run cargo fmt, cargo clippy --all-targets --all-features -- -D warnings, and cargo test from the workspace root.
• For WASM release builds: cargo build --target wasm32-unknown-unknown --release -p callora-vault (adjust -p if the crate name differs).

Deliverables

• docs/vault-external-calls.md or a SECURITY.md section.

Test and commit

• Run tests and ./scripts/coverage.sh (or cargo tarpaulin per tarpaulin.toml).
• Cover edge cases; include summarized test output and brief security notes in the PR description.

Example commit message

docs(vault): external call ordering security analysis

Guidelines

• Minimum 95% line coverage for touched crates (workspace policy).
• Clear documentation (Rust /// on public items where applicable; repo markdown as needed).
• Timeframe: 96 hours from assignment unless agreed otherwise.

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 200 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[drips-wave]

Congratulations, @icodeBisola! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @icodeBisola: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊