[Contracts] LoanManager deposit_collateral re-reads the loan after a token transfer, creating a check-then-act gap

[grantfox-oss]

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

In loan_manager/src/lib.rs deposit_collateral, the loan is loaded and status-checked, then token_client.transfer(&loan.borrower, contract, &amount) runs, and only afterward the loan is re-fetched (expect("loan not found")) and collateral_amount updated. The token transfer (an external call) happens between the read and the write, violating checks-effects-interactions; with a malicious or reentrant token the loan record could change or be removed between the two reads, and the second expect would panic or operate on stale state.

Acceptance criteria

• Restructure deposit_collateral to compute the new collateral and commit loan state before or atomically with the transfer (CEI), as done in repay/approve_loan
• Avoid the second storage read after the external transfer, or re-validate status after it
• Add a test for deposit_collateral interleaving with concurrent loan state changes
• Ensure the function returns a typed error rather than expect panic if the loan vanishes

Files to touch

• loan_manager/src/lib.rs

Out of scope

• Supporting a separate collateral token
• Collateral valuation oracle

[gloskull]

Hello, I have 4 years of experience delivering solutions for projects like this, covering backend, frontend, and smart contract development. After carefully reviewing your requirements, I have a clear understanding of the task and am confident in my ability to deliver a clean, efficient, and thoroughly tested solution on time. I prioritize code quality, maintainability, and industry best practices throughout the development process.

[jotel-dev]

I'm a full-stack developer with experience in React, blockchain/Web3, and ML infrastructure. I've reviewed the issue and can submit a clean PR within 2 days.

[grantfox-oss]

🦊 GrantFox — @jotel-dev has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #17)
2. Your PR will be reviewed by the LabsCrypt maintainers

Good luck! Track your progress on GrantFox.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@jotel-dev's PR #27 was approved and merged by @ogazboiz.

🏆 @jotel-dev: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (258 total points). Track your full progress on GrantFox.

👏 Great work, @jotel-dev! Keep contributing to LabsCrypt.