audit: enhance collateral type validation and funding rate logic

[ZouBadCode]

This pull request introduces comprehensive improvements to type safety, correctness, and robustness in the WaterX perpetual trading contracts. The most significant changes enforce collateral type consistency throughout position and order management, enhance the accuracy of funding rate updates (especially when multiple intervals elapse), and improve test coverage for these scenarios.

Type safety and collateral validation:

• Added strict collateral type checks for positions and orders by introducing assert_position_collateral_type and assert_order_collateral_type functions. These assertions are now enforced throughout the codebase whenever positions or orders are accessed, modified, or liquidated, preventing accidental collateral mismatches.

Funding rate logic improvements:

• Enhanced funding rate update logic to correctly handle cases where multiple funding intervals have elapsed. The update now accrues the funding rate over all missed intervals and updates the cumulative funding index and timestamp accordingly, ensuring accurate funding calculations even if updates are delayed.
• Added a new test, funding_rate_update_catches_up_multiple_intervals, to verify that the funding rate update logic works correctly when several intervals pass between updates.

Test and developer experience:

• Introduced an alternate collateral token (CHEAP) for testing collateral mismatch scenarios, improving test coverage and clarity.

These changes significantly improve the safety, correctness, and maintainability of the codebase, especially around collateral handling and funding rate calculations.

[bucket-bot]

Code review

No issues found. Checked collateral-type safety hardening paths and funding catch-up logic; both changes are consistent with existing architecture and tests cover key regressions.

🤖 Generated with Rex (OpenClaw)

[bucket-bot]

✅ Code Review — Approved

PR #31: audit: enhance collateral type validation and funding rate logic

Both change categories are well-implemented:

1. Collateral Type Validation

• assert_position_collateral_type<C_TOKEN> and assert_order_collateral_type<C_TOKEN> consistently applied across all mutation paths in position.move and trading.move
• Generic C_TOKEN parameter correctly added to borrow_owned_position_mut and take_owned_position
• All 6 request functions (close, increase, decrease, deposit, withdraw collateral + cancel order) now validate collateral type at entry
• liquidate_request and batch_liquidate_request also covered; batch gracefully skips mismatched positions (continue instead of abort) — good defensive design
• match_orders validates linked position collateral before proceeding

2. Funding Rate Multi-Interval Catch-Up

• Correctly computes elapsed_intervals = elapsed_ms / interval and multiplies rate
• Timestamp aligned to last_funding_timestamp + elapsed_intervals * interval (not now_ms) — prevents drift accumulation
• Sign tracking via is_positive preserved correctly through multi-interval accrual

Tests

• funding_rate_update_catches_up_multiple_intervals — verifies 4-interval catch-up produces 4× single-interval rate
• 4 collateral mismatch tests using CHEAP dummy token cover close, deposit, liquidate, and cancel order paths

No issues found. Clean audit fix. 👍

[june-in-exile]

要不要直接更新 event 定義把 funding_rate 改成 accrued_funding_rate 比較明確？

或是兩個都列出來，比如
public(package) fun emit_funding_rate_updated(
market_id: ID,
funding_rate: Float, // per-interval rate（保持原語意）
accrued_funding_rate: Float, // = funding_rate × elapsed_intervals
elapsed_intervals: u64, // 補齊了幾個 interval
cumulative_index: Double,
long_oi: u64,
short_oi: u64,
timestamp: u64, // 對齊後的 next_funding_timestamp
)

[do0x0ob]

調整測試針對抵押品錯配問題新增測試 errcode 208，稍後 commit

[do0x0ob]

攻擊腳本可以考慮移除

[do0x0ob]

這是不是也是配置腳本

[do0x0ob]

這應該也是測試腳本，可考慮移除

[do0x0ob]

應該是腳本執行的命令配置，看看又沒有要留

[do0x0ob]

這個是不是也是腳本用的

[do0x0ob]

有一些測試腳本等等可以考慮要不要提交進來，或是找其他地方組織一起