shuffle withdraw errors

Author: 2501babe

program/src/error.rs

@@ -54,8 +54,9 @@ pub enum SinglePoolError {
 
     // 10
     /// Not enough stake to cover the provided quantity of pool tokens.
-    /// (Generally this should not happen absent user error, but may if the
-    /// minimum delegation increases beyond 1 sol.)
+    /// This typically means the value exists in the pool as activating stake,
+    /// and an epoch is required for it to become available. Otherwise, it means
+    /// active stake in the on-ramp must be moved via `ReplenishPool`.
     #[error("WithdrawalTooLarge")]
     WithdrawalTooLarge,
     /// Required signature is missing.
@@ -105,6 +106,10 @@ pub enum SinglePoolError {
     /// is in an exceptional state, or because the on-ramp account should be refreshed.
     #[error("ReplenishRequired")]
     ReplenishRequired,
+    /// Withdrawal would render the pool stake account impossible to redelegate.
+    /// This can only occur if the Stake Program minimum delegation increases above 1sol.
+    #[error("WithdrawalViolatesPoolRequirements")]
+    WithdrawalViolatesPoolRequirements,
 }
 impl From<SinglePoolError> for ProgramError {
     fn from(e: SinglePoolError) -> Self {
@@ -137,8 +142,9 @@ impl ToStr for SinglePoolError {
                 "Error: Not enough pool tokens provided to withdraw stake worth one lamport.",
             SinglePoolError::WithdrawalTooLarge =>
                 "Error: Not enough stake to cover the provided quantity of pool tokens. \
-                     (Generally this should not happen absent user error, but may if the minimum delegation increases \
-                     beyond 1 sol.)",
+                    This typically means the value exists in the pool as activating stake, \
+                    and an epoch is required for it to become available. Otherwise, it means \
+                    active stake in the onramp must be moved via `ReplenishPool`.",
             SinglePoolError::SignatureMissing => "Error: Required signature is missing.",
             SinglePoolError::WrongStakeState => "Error: Stake account is not in the state expected by the program.",
             SinglePoolError::ArithmeticOverflow => "Error: Unsigned subtraction crossed the zero.",
@@ -157,11 +163,14 @@ impl ToStr for SinglePoolError {
             SinglePoolError::InvalidPoolOnRampAccount =>
                 "Error: Provided pool onramp account does not match address derived from the pool account.",
             SinglePoolError::OnRampDoesntExist =>
-                "The onramp account for this pool does not exist; you must call `InitializePoolOnRamp` \
+                "Error: The onramp account for this pool does not exist; you must call `InitializePoolOnRamp` \
                      before you can perform this operation.",
             SinglePoolError::ReplenishRequired =>
                 "Error: The present operation requires a `ReplenishPool` call, either because the pool stake account \
                     is in an exceptional state, or because the on-ramp account should be refreshed.",
+            SinglePoolError::WithdrawalViolatesPoolRequirements =>
+                "Error: Withdrawal would render the pool stake account impossible to redelegate. \
+                    This can only occur if the Stake Program minimum delegation increases above 1 sol.",
         }
     }
 }

program/src/processor.rs

@@ -1198,6 +1198,10 @@ impl Processor {
             return Err(SinglePoolError::InvalidPoolStakeAccountUsage.into());
         }
 
+        if token_amount == 0 {
+            return Err(SinglePoolError::WithdrawalTooSmall.into());
+        }
+
         let minimum_delegation = stake::tools::get_minimum_delegation()?;
 
         // tokens for withdraw are determined off the total stakeable value of both pool-owned accounts
@@ -1241,22 +1245,29 @@ impl Processor {
             return Err(SinglePoolError::WithdrawalTooSmall.into());
         }
 
+        // the pool must *always* meet minimum delegation, even if it is inactive.
+        // this error is currently impossible to hit and exists to protect pools if minimum delegation rises above 1sol
+        if withdrawable_value.saturating_sub(stake_to_withdraw) < minimum_delegation {
+            return Err(SinglePoolError::WithdrawalViolatesPoolRequirements.into());
+        }
+
+        // this is impossible but we guard explicitly because it would put the pool in an unrecoverable state
+        if stake_to_withdraw == pool_stake_info.lamports() {
+            return Err(SinglePoolError::WithdrawalViolatesPoolRequirements.into());
+        }
+
         // if the destination would be in any non-inactive state it must meet minimum delegation
         if !pool_is_fully_inactive && stake_to_withdraw < minimum_delegation {
             return Err(SinglePoolError::WithdrawalTooSmall.into());
         }
 
         // if we do not have enough value to service this withdrawal, the user must wait a `ReplenishPool` cycle.
-        // this does *not* mean the value isnt in the pool, merely that it is not duly splittable
+        // this does *not* mean the value isnt in the pool, merely that it is not duly splittable.
+        // this check should always come last to avoid returning it if the withdrawal is actually invalid
         if stake_to_withdraw > withdrawable_value {
             return Err(SinglePoolError::WithdrawalTooLarge.into());
         }
 
-        // this is theoretically impossible but we guard because it would put the pool in an unrecoverable state
-        if stake_to_withdraw == pool_stake_info.lamports() {
-            return Err(SinglePoolError::WithdrawalTooLarge.into());
-        }
-
         // burn user tokens corresponding to the amount of stake they wish to withdraw
         Self::token_burn(
             pool_info.key,