StellarCheckMate · yahia008 · Jun 2, 2026 · Jun 1, 2026 · Jun 2, 2026
diff --git a/contracts/escrow/src/lib.rs b/contracts/escrow/src/lib.rs
@@ -44,6 +44,8 @@ impl EscrowContract {
         env.storage().instance().set(&DataKey::Admin, &admin);
         env.storage().instance().set(&DataKey::MatchCount, &0u64);
         env.storage().instance().set(&DataKey::Paused, &false);
+        env.storage().instance().set(&DataKey::AllowlistEnforced, &false);
+        env.storage().instance().set(&DataKey::AllowedTokenCount, &0u64);
     }
 
     /// Pause the contract — admin only. Blocks create_match, deposit, and submit_result.

diff --git a/contracts/escrow/src/tests/events.rs b/contracts/escrow/src/tests/events.rs
@@ -362,12 +362,12 @@ fn test_remove_allowed_token_emits_event() {
     let expected_topics = vec![
         &env,
         Symbol::new(&env, "admin").into_val(&env),
-        symbol_short!("token_removed").into_val(&env),
+        symbol_short!("token_remove").into_val(&env),
     ];
     let matched = events
         .iter()
         .find(|(_, topics, _)| *topics == expected_topics);
-    assert!(matched.is_some(), "token_removed event not emitted");
+    assert!(matched.is_some(), "token_remove event not emitted");
 
     let (_, _, data) = matched.unwrap();
     let ev_token: Address = TryFromVal::try_from_val(&env, &data).unwrap();

diff --git a/contracts/escrow/src/tests/token_allowlist.rs b/contracts/escrow/src/tests/token_allowlist.rs
@@ -34,11 +34,18 @@ fn test_add_allowed_token_emits_event() {
 }
 
 #[test]
-fn test_removed_tokens_can_no_longer_be_used_for_new_matches() {
+fn test_removed_tokens_are_rejected_when_other_allowed_tokens_remain() {
     let (env, contract_id, _oracle, player1, player2, token, _admin) = setup();
     let client = EscrowContractClient::new(&env, &contract_id);
 
+    let token2_id = env.register_stellar_asset_contract_v2(Address::generate(&env));
+    let token2_addr = token2_id.address();
+    let asset_client2 = StellarAssetClient::new(&env, &token2_addr);
+    asset_client2.mint(&player1, &1000);
+    asset_client2.mint(&player2, &1000);
+
     client.add_allowed_token(&token);
+    client.add_allowed_token(&token2_addr);
     client.remove_allowed_token(&token);
 
     let result = client.try_create_match(
@@ -49,10 +56,58 @@ fn test_removed_tokens_can_no_longer_be_used_for_new_matches() {
         &String::from_str(&env, "removed_token_game"),
         &Platform::Lichess,
     );
-    assert!(
-        result.is_err(),
-        "create_match should reject removed token"
+    assert!(result.is_err(), "create_match should reject removed token");
+
+    let id = client.create_match(
+        &player1,
+        &player2,
+        &100,
+        &token2_addr,
+        &String::from_str(&env, "remaining_token_game"),
+        &Platform::Lichess,
     );
+    assert_eq!(id, 0, "remaining allowed token should still be accepted");
+}
+
+#[test]
+fn test_removing_last_allowed_token_disables_allowlist_enforcement() {
+    let (env, contract_id, _oracle, player1, player2, token, _admin) = setup();
+    let client = EscrowContractClient::new(&env, &contract_id);
+
+    client.add_allowed_token(&token);
+    client.remove_allowed_token(&token);
+
+    assert!(!client.is_token_allowed(&token));
+
+    let unknown_token = Address::generate(&env);
+    let id = client.create_match(
+        &player1,
+        &player2,
+        &100,
+        &unknown_token,
+        &String::from_str(&env, "rollback_game"),
+        &Platform::Lichess,
+    );
+    assert_eq!(id, 0, "create_match should accept any token after last allowed token is removed");
+}
+
+#[test]
+fn test_remove_allowed_token_requires_admin_auth() {
+    let (env, contract_id, _oracle, _player1, _player2, token, _admin) = setup();
+    let client = EscrowContractClient::new(&env, &contract_id);
+
+    let attacker = Address::generate(&env);
+    env.mock_auths(&[MockAuth {
+        address: &attacker,
+        invoke: &MockAuthInvoke {
+            contract: &contract_id,
+            fn_name: "remove_allowed_token",
+            args: (token.clone(),).into_val(&env),
+            sub_invokes: &[],
+        },
+    }]);
+
+    assert_eq!(client.try_remove_allowed_token(&token), Err(Ok(Error::Unauthorized)));
 }
 
 #[test]

diff --git a/contracts/escrow/src/types.rs b/contracts/escrow/src/types.rs
@@ -56,6 +56,7 @@ pub enum DataKey {
     PlayerMatches(Address),
     MatchTimeout,
     AllowedToken(Address),
+    AllowedTokenCount,
     AllowlistEnforced,
     AllowedTokenCount,
     OracleRecord(u64),

diff --git a/docs/deployment.md b/docs/deployment.md
@@ -100,7 +100,7 @@ stellar contract invoke \
   --token <USDC_CONTRACT_ADDRESS>
 ```
 
-> **Note:** After the first `add_allowed_token` call, `AllowlistEnabled` is set to `true` on-chain and cannot be unset. Any token not explicitly added will be rejected by `create_match`.
+> **Note:** After the first `add_allowed_token` call, allowlist enforcement becomes active. If the last allowed token is removed, enforcement is disabled again and `create_match` accepts any token.
 
 ---
-Original file line number
+Diff line change
@@ Expand Up / @@ -100,7 +100,7 @@ stellar contract invoke \ @@
       --token <USDC_CONTRACT_ADDRESS>
     ```
-    > **Note:** After the first `add_allowed_token` call, `AllowlistEnabled` is set to `true` on-chain and cannot be unset. Any token not explicitly added will be rejected by `create_match`.
+    > **Note:** After the first `add_allowed_token` call, allowlist enforcement becomes active. If the last allowed token is removed, enforcement is disabled again and `create_match` accepts any token.
     ---
@@ Expand Down @@