withdraw: replace overflow with better error (#910)

programs/mango-v4/src/instructions/token_withdraw.rs

@@ -175,9 +175,9 @@ pub fn token_withdraw(ctx: Context<TokenWithdraw>, amount: u64, allow_borrow: bo
             // However, if health without it is negative then full health could be negative
             // and could be made worse by withdrawals.
             //
-            // We don't know the true pre_init_health, and substitute MAX. That way the check
-            // won't pass because post == pre.
-            account.check_health_post_checks(I80F48::MAX, post_init_health_lower_bound)?;
+            // We don't know the true pre_init_health: So require that our lower bound on
+            // post health is strictly good enough.
+            account.check_health_post_checks_strict(post_init_health_lower_bound)?;
         }
     }
 

programs/mango-v4/src/state/mango_account.rs

@@ -1457,6 +1457,13 @@ impl<
         Ok(())
     }
 
+    /// A stricter version of check_health_post_checks() that requires >=0 health, it not getting
+    /// worse is not sufficient
+    pub fn check_health_post_checks_strict(&mut self, post_init_health: I80F48) -> Result<()> {
+        require!(post_init_health >= 0, MangoError::HealthMustBePositive);
+        Ok(())
+    }
+
     pub fn check_liquidatable(&mut self, health_cache: &HealthCache) -> Result<CheckLiquidatable> {
         // Once maint_health falls below 0, we want to start liquidating,
         // we want to allow liquidation to continue until init_health is positive,

programs/mango-v4/tests/cases/test_basic.rs

@@ -942,7 +942,7 @@ async fn test_withdraw_skip_bank() -> Result<(), TransportError> {
             },
             skip_banks: vec![tokens[0].bank, tokens[1].bank],
         },
-        MangoError::HealthMustBePositiveOrIncrease
+        MangoError::HealthMustBePositive
     );
 
     Ok(())