Fix: token address is not validated — any address can be passed as token

[yahia008]

Priority: High
Estimated Time: 1 hour

Description:
create_match accepts any Address as the token parameter with no validation. A malicious actor could pass a fake token contract that behaves unexpectedly during transfer calls, potentially draining the contract.

Tasks:

• Add DataKey::AllowedToken(Address) and an admin function add_allowed_token(token: Address) to manage the allowlist
• Reject create_match if token is not on the allowlist, returning Error::InvalidToken
• Add InvalidToken error variant
• Add tests for allowed and disallowed tokens

[rehna-jp]

@rehna-jp has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

Hii , I’d like to work on this issue and add proper token validation for create_match. I’ll implement an allowlist via DataKey::AllowedToken, add an admin function to manage it, return an InvalidToken error for disallowed tokens, and cover all cases with tests.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @rehna-jp to this issue.

[techisigu]

@techisigu has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

I’m a smart contract developer who turns complex ideas into secure, production-ready blockchain code.
With strong skills in Rust and Solidity, I build systems that are fast, safe, and built to last.
My experience with the Stellar SDK lets me ship real-world Web3 solutions that actually move value

ℹ️ Repo Maintainers: To accept this application, review their application or assign @techisigu to this issue.