Protect against donation-based price manipulation

[TUPM96]

Closes #389

Summary

• add per-asset accounted balance/share tracking for deposits and withdrawals
• add donation reconciliation that compares actual token balance with accounting, quarantines unaccounted balance, and raises donation alerts
• add virtual share price calculation that excludes quarantined donations from price impact
• add configurable donation-defense minimum deposit and unaccounted-balance tolerance
• block liquidation when the debt or collateral asset has an active donation alert, with admin acknowledgement for reviewed airdrops/false positives
• document the donation attack surface and operator controls

Tests

• cargo fmt -p stellarlend-lending
• cargo check -p stellarlend-lending --lib
• cargo test -p stellarlend-lending donation -- --test-threads=4
• cargo test -p stellarlend-lending -- --test-threads=4

Note

• cargo check -p hello-world --lib is currently blocked by pre-existing hello-world baseline errors such as duplicate cross_asset_borrow/DataKey definitions and testutils-gated imports.

[vercel]

@TUPM96 is attempting to deploy a commit to the smartdevs17's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR introduces donation-based price manipulation defenses for deposits and adds variable/stable rate borrowing APIs, alongside related accounting updates and tests.

Changes:

• Add donation detection/quarantine flow, virtual share price calculation, and admin acknowledgment APIs.
• Introduce variable/stable borrowing entrypoints and related rate configuration plumbing.
• Update withdraw path to adjust per-asset accounting and expand test coverage for donation defenses.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
stellar-lend/docs/donation-price-manipulation.md	Documents the donation/quarantine threat model and mitigation approach.
stellar-lend/contracts/lending/src/deposit.rs	Implements donation defense config/reporting, virtual price calc, and per-asset accounting keys.
stellar-lend/contracts/lending/src/lib.rs	Exposes new public contract APIs (donation defense + rate-type borrow) and blocks liquidation on donation alert.
stellar-lend/contracts/lending/src/withdraw.rs	Deducts per-asset accounting on withdraw.
stellar-lend/contracts/lending/src/deposit_test.rs	Adds tests for detection/quarantine, min deposit dust defense, and liquidation blocking.
stellar-lend/contracts/lending/src/borrow.rs	Tweaks stable-rate state init and legacy debt position loading; modifies variable borrow rate setter.
stellar-lend/contracts/lending/src/math_safety_test.rs	Updates debt position construction with new rate fields.
stellar-lend/contracts/lending/src/borrow_test.rs	Updates imports for new RateType usage.
stellar-lend/contracts/lending/src/interest_rate.rs	Adjusts default borrow rate config (base rate).

Comments suppressed due to low confidence (1)

stellar-lend/contracts/lending/src/deposit.rs:395

• get_deposit_position is parameterized by asset, but the storage key shown only uses user (UserCollateral(user.clone())). This makes per-asset deposits overwrite each other for the same user and breaks multi-asset accounting (especially now that per-asset share/asset totals were added). Use a storage key that includes both user and asset so positions are truly per-user-per-asset.

fn get_deposit_position(env: &Env, user: &Address, asset: &Address) -> DepositCollateral {
    env.storage()
        .persistent()
        .get(&DepositDataKey::UserCollateral(user.clone()))
        .unwrap_or(DepositCollateral {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.