Vault: validate revenue_pool and settlement are distinct contracts in setters

[greatest0fallt1me]

Description

init guards against usdc_token/revenue_pool/authorized_caller being the vault itself, but set_settlement and set_revenue_pool perform no such self-reference or cross-equality checks. An admin could set the settlement address equal to the USDC token or to the vault, misrouting deduct transfers into the token contract or back into the vault. Add validation to both setters.

Requirements and Context

• In set_settlement/set_revenue_pool, reject the vault address, the USDC token address, and equality with each other.
• Reuse the panic-string conventions from init.
• Add tests for each invalid combination.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b bug/vault-address-setter-validation

2. Implement changes
   • contracts/vault/src/lib.rs — validation in both setters
   • docs/CONTRACT_ADDRESS_CONFIGURATION.md — document constraints
3. Test and commit
   • cargo test -p callora-vault
   • Test setting settlement = usdc, = vault, = revenue_pool all revert
   • Include test output and notes in the PR

Example commit message

fix: validate settlement/revenue_pool addresses in vault setters

Acceptance Criteria

• Self-address and USDC-equality rejected in both setters
• Settlement and revenue pool cannot be set equal
• Tests cover each invalid combination
• Operator doc updated

Guidelines

• .rs under contracts/vault/src/, cargo test, /// docs, minimum 95% line coverage, no unwrap() in prod paths
• Clear documentation and inline comments
• Timeframe: 96 hours

[karanjadavi]

@karanjadavi has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

can i work on this issue ?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @karanjadavi to this issue.

[drips-wave]

Congratulations, @karanjadavi! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @karanjadavi: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊