[bug] creative-marketplace: purchase_license — token transfers before license and listing records are written (CEI violation)

[gboigwe]

Summary

purchase_license executes both token transfers (creator payment at line 224, fee at line 229) before writing the License record at lines 244-250 and updating the listing.sale_count / listing.status at lines 260-266. A re-entrant callback during either transfer would find the license not yet recorded and the listing still Active — a second purchase attempt would pass the expiry check and double-charge the buyer.

Location

contracts/creative-marketplace/src/lib.rs, purchase_license

// ❌ Interaction before Effect
token_client.transfer(&buyer, &listing.creator, &creator_amount); // line 224
token_client.transfer(&buyer, &admin, &fee);                       // line 229

// License not yet written ↓
env.storage().persistent().set(&DataKey::License(listing_id, buyer), &license); // line 244
listing.sale_count += 1;  // line 252

Fix

Write the License record and update listing before the token transfers:

env.storage().persistent().set(&DataKey::License(...), &license);
listing.sale_count += 1;
env.storage().persistent().set(&DataKey::Listing(...), &listing);
// extend_ttl calls...
// then token transfers last
token_client.transfer(&buyer, &listing.creator, &creator_amount);
if fee > 0 { token_client.transfer(&buyer, &admin, &fee); }

[Nuel-ship-it]

@Nuel-ship-it has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi maintainer, i would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Nuel-ship-it to this issue.

[Dannyswiss1]

@Dannyswiss1 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

hello, champ, can take this?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Dannyswiss1 to this issue.

[drips-wave]

Congratulations, @Dannyswiss1! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Dannyswiss1: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[sirakinb]

Opened a fix PR here: #571

It moves license/listing storage effects before creator and platform-fee token transfers in purchase_license, and expands the purchase test to assert sale count and balances. Verified with:

• cargo fmt -p pulsar-creative-marketplace --check
• cargo +1.91.1 test -p pulsar-creative-marketplace

[drips-wave]

This issue has been completed by @Dannyswiss1 as part of the Stellar Wave Program's 5th Wave 🥳

😎 @Dannyswiss1: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.