[Contracts] withdraw/cancel transfer tokens before persisting stream state (CEI violation / reentrancy surface)

[grantfox-oss]

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

transfer_and_update_stream (lib.rs:396-407) calls token_client.transfer to the recipient and mutates only a local Stream; withdraw persists it afterward at lib.rs:448. cancel_stream transfers to recipient (lib.rs:502) and sender (lib.rs:512) before save_stream (lib.rs:523). token_address is an arbitrary caller-supplied contract (validate_token_contract only checks a decimals() symbol exists, lib.rs:314), so a token with a transfer hook could re-enter while storage still shows the pre-update is_active/withdrawn_amount, enabling a double payout.

Acceptance criteria

• Persist stream state (save_stream) before any token_client.transfer in withdraw and cancel_stream, or add an explicit reentrancy guard
• Add a regression test with a token stub that re-enters withdraw, asserting no double payout
• If reordering is infeasible, document that only trusted/audited tokens may be streamed

Files to touch

• contracts/stream_contract/src/lib.rs

Out of scope

• Replacing the Soroban token interface

[AugistineCreates]

@AugistineCreates has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I will solve this issue well and submit pr today

ℹ️ Repo Maintainers: To accept this application, review their application or assign @AugistineCreates to this issue.

[patopatrish]

@patopatrish has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello maintainer, i would love to work on this issue.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @patopatrish to this issue.

[drips-wave]

Congratulations, @patopatrish! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @patopatrish: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[grantfox-oss]

🦊 GrantFox — @patopatrish has been assigned to this issue!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #789)
2. Your PR will be reviewed by the LabsCrypt maintainers

Good luck! Track your progress on GrantFox.