From 420e3b4fc06373b04432aef0f4582cccc4f59997 Mon Sep 17 00:00:00 2001
From: r4bbit <445106+0x-r4bbit@users.noreply.github.com>
Date: Mon, 4 May 2026 14:47:50 +0200
Subject: [PATCH] chore(amm): add defensive check for lp token solvency

This check is added to fulfill the program invariant that no more tokens
than owned can be burned. This was not a bug before, because the `token`
program will revert on `Transfer::Burn` when one tries to burn more
tokens than available.

So this change is merely for making the invariant explicit.
---
 amm/src/remove.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/amm/src/remove.rs b/amm/src/remove.rs
index 951c639..dcff5e7 100644
--- a/amm/src/remove.rs
+++ b/amm/src/remove.rs
@@ -91,6 +91,10 @@ pub fn remove_liquidity(
         pool_def_data.liquidity_pool_supply > MINIMUM_LIQUIDITY,
         "Pool only contains locked liquidity"
     );
+    assert!(
+        remove_liquidity_amount <= user_lp_balance,
+        "Remove amount exceeds user LP balance"
+    );
     let unlocked_liquidity = pool_def_data.liquidity_pool_supply - MINIMUM_LIQUIDITY;
     // The remove instruction never sees the LP lock account directly, so we must still refuse any
     // request that would burn through the permanent floor even if ownership is already corrupted.