fix(token-swap): audit pass - checked_sub, basis-points constant, admin folder, test fix

- Fix test compile break: withdraw accounts field is `withdrawer`, not
  `depositor` (test_swap.rs was passing the old field name)
- Replace raw `pool.amount - admin_fees_owed` with checked_sub across
  swap_tokens, deposit_liquidity, withdraw_liquidity - a BPF release
  underflow would wrap to a giant effective reserve
- Extract the basis-points divisor (10_000) into a named BASIS_POINTS_DIVISOR
  constant; use it in the swap fee math and create_config constraints
- Move the admin-only claim_admin_fees handler into instructions/admin/

Author: claude

tokens/token-swap/anchor/programs/token-swap/src/constants.rs

@@ -3,6 +3,13 @@ use anchor_lang::prelude::*;
 #[constant]
 pub const MINIMUM_LIQUIDITY: u64 = 100;
 
+/// Basis-points denominator. Fees and the admin's fee share are stored in
+/// basis points (1 bp = 1/10_000), so dividing by this converts a bp value to
+/// a fraction. Using the named constant keeps the 10_000 out of the math as a
+/// bare literal.
+#[constant]
+pub const BASIS_POINTS_DIVISOR: u64 = 10_000;
+
 #[constant]
 pub const CONFIG_SEED: &[u8] = b"config";
 

…wap/src/instructions/claim_admin_fees.rs …c/instructions/admin/claim_admin_fees.rstokens/token-swap/anchor/programs/token-swap/src/instructions/claim_admin_fees.rs renamed to tokens/token-swap/anchor/programs/token-swap/src/instructions/admin/claim_admin_fees.rs tokens/token-swap/anchor/programs/token-swap/src/instructions/claim_admin_fees.rs renamed to tokens/token-swap/anchor/programs/token-swap/src/instructions/admin/claim_admin_fees.rs

@@ -0,0 +1,3 @@
+mod claim_admin_fees;
+
+pub use claim_admin_fees::*;

tokens/token-swap/anchor/programs/token-swap/src/instructions/admin/mod.rs

@@ -1,6 +1,10 @@
 use anchor_lang::prelude::*;
 
-use crate::{constants::CONFIG_SEED, errors::*, state::Config};
+use crate::{
+    constants::{BASIS_POINTS_DIVISOR, CONFIG_SEED},
+    errors::*,
+    state::Config,
+};
 
 pub fn handle_create_config(
     mut context: Context<CreateConfigAccounts>,
@@ -26,8 +30,8 @@ pub struct CreateConfigAccounts<'info> {
         space = Config::DISCRIMINATOR.len() + Config::INIT_SPACE,
         seeds = [CONFIG_SEED],
         bump,
-        constraint = fee < 10000 @ AmmError::InvalidFee,
-        constraint = admin_share_bps < 10000 @ AmmError::AdminShareTooHigh,
+        constraint = (fee as u64) < BASIS_POINTS_DIVISOR @ AmmError::InvalidFee,
+        constraint = (admin_share_bps as u64) < BASIS_POINTS_DIVISOR @ AmmError::AdminShareTooHigh,
     )]
     pub config: Account<'info, Config>,
 

tokens/token-swap/anchor/programs/token-swap/src/instructions/create_config.rs

@@ -66,8 +66,16 @@ pub fn handle_deposit_liquidity(
     let pool_a = &context.accounts.pool_a;
     let pool_b = &context.accounts.pool_b;
     let pool_config = &context.accounts.pool_config;
-    let effective_pool_a = pool_a.amount - pool_config.admin_fees_owed_a;
-    let effective_pool_b = pool_b.amount - pool_config.admin_fees_owed_b;
+    // checked_sub: admin_fees_owed is an invariant subset of the vault balance;
+    // a raw `-` would wrap silently on a BPF release build if that ever broke.
+    let effective_pool_a = pool_a
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_a)
+        .ok_or(AmmError::MathOverflow)?;
+    let effective_pool_b = pool_b
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_b)
+        .ok_or(AmmError::MathOverflow)?;
     // Defining pool creation like this allows attackers to frontrun pool creation with bad ratios
     let pool_creation = effective_pool_a == 0 && effective_pool_b == 0;
     (amount_a, amount_b) = if pool_creation {

tokens/token-swap/anchor/programs/token-swap/src/instructions/deposit_liquidity.rs

@@ -1,11 +1,11 @@
-mod claim_admin_fees;
+mod admin;
 mod create_config;
 mod create_pool;
 mod deposit_liquidity;
 mod swap_tokens;
 mod withdraw_liquidity;
 
-pub use claim_admin_fees::*;
+pub use admin::*;
 pub use create_config::*;
 pub use create_pool::*;
 pub use deposit_liquidity::*;

tokens/token-swap/anchor/programs/token-swap/src/instructions/mod.rs

@@ -5,7 +5,7 @@ use anchor_spl::{
 };
 
 use crate::{
-    constants::{AUTHORITY_SEED, CONFIG_SEED},
+    constants::{AUTHORITY_SEED, BASIS_POINTS_DIVISOR, CONFIG_SEED},
     errors::*,
     state::{Config, PoolConfig},
 };
@@ -42,12 +42,12 @@ pub fn handle_swap_tokens(
     let fee_amount = (input_amount as u128)
         .checked_mul(config.fee as u128)
         .ok_or(AmmError::MathOverflow)?
-        .checked_div(10_000)
+        .checked_div(BASIS_POINTS_DIVISOR as u128)
         .ok_or(AmmError::MathOverflow)?;
     let admin_portion = fee_amount
         .checked_mul(config.admin_share_bps as u128)
         .ok_or(AmmError::MathOverflow)?
-        .checked_div(10_000)
+        .checked_div(BASIS_POINTS_DIVISOR as u128)
         .ok_or(AmmError::MathOverflow)?;
     // Narrow back to u64 for storage / transfer. The fee can never exceed
     // `input` (`fee_amount <= input * 9999 / 10_000 < input`, and `input`
@@ -68,8 +68,17 @@ pub fn handle_swap_tokens(
     let pool_a = &context.accounts.pool_a;
     let pool_b = &context.accounts.pool_b;
     let pool_config = &context.accounts.pool_config;
-    let effective_pool_a = pool_a.amount - pool_config.admin_fees_owed_a;
-    let effective_pool_b = pool_b.amount - pool_config.admin_fees_owed_b;
+    // checked_sub: admin_fees_owed is an invariant subset of the vault balance,
+    // but a raw `-` would wrap silently on a BPF release build if that invariant
+    // were ever violated, handing the curve a giant effective reserve.
+    let effective_pool_a = pool_a
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_a)
+        .ok_or(AmmError::MathOverflow)?;
+    let effective_pool_b = pool_b
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_b)
+        .ok_or(AmmError::MathOverflow)?;
 
     // Constant-product output formula:
     //   output = taxed_input * other_reserve / (this_reserve + taxed_input)
@@ -231,8 +240,18 @@ pub fn handle_swap_tokens(
     context.accounts.pool_a.reload()?;
     context.accounts.pool_b.reload()?;
     let pool_config = &context.accounts.pool_config;
-    let effective_pool_a_after = context.accounts.pool_a.amount - pool_config.admin_fees_owed_a;
-    let effective_pool_b_after = context.accounts.pool_b.amount - pool_config.admin_fees_owed_b;
+    let effective_pool_a_after = context
+        .accounts
+        .pool_a
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_a)
+        .ok_or(AmmError::MathOverflow)?;
+    let effective_pool_b_after = context
+        .accounts
+        .pool_b
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_b)
+        .ok_or(AmmError::MathOverflow)?;
     let new_invariant = (effective_pool_a_after as u128)
         .checked_mul(effective_pool_b_after as u128)
         .ok_or(AmmError::MathOverflow)?;

tokens/token-swap/anchor/programs/token-swap/src/instructions/swap_tokens.rs

@@ -31,8 +31,20 @@ pub fn handle_withdraw_liquidity(
     // owed slice physically remains in the vaults but is not distributed to
     // exiting LPs - it's claimed separately via `claim_admin_fees`.
     let pool_config = &context.accounts.pool_config;
-    let effective_pool_a = context.accounts.pool_a.amount - pool_config.admin_fees_owed_a;
-    let effective_pool_b = context.accounts.pool_b.amount - pool_config.admin_fees_owed_b;
+    // checked_sub: admin_fees_owed is an invariant subset of the vault balance;
+    // a raw `-` would wrap silently on a BPF release build if that ever broke.
+    let effective_pool_a = context
+        .accounts
+        .pool_a
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_a)
+        .ok_or(AmmError::MathOverflow)?;
+    let effective_pool_b = context
+        .accounts
+        .pool_b
+        .amount
+        .checked_sub(pool_config.admin_fees_owed_b)
+        .ok_or(AmmError::MathOverflow)?;
 
     // Proportional-withdraw formula:
     //   amount_out = lp_amount * effective_reserve / (lp_supply + MINIMUM_LIQUIDITY)

tokens/token-swap/anchor/programs/token-swap/src/instructions/withdraw_liquidity.rs

@@ -421,7 +421,7 @@ fn test_withdraw_liquidity() {
             config: ts.config_key,
             pool_config: ts.pool_config_key,
             pool_authority: ts.pool_authority,
-            depositor: ts.admin.pubkey(),
+            withdrawer: ts.admin.pubkey(),
             liquidity_provider_mint: ts.liquidity_provider_mint,
             mint_a: ts.mint_a,
             mint_b: ts.mint_b,
@@ -1239,7 +1239,7 @@ fn withdraw_ix_with_min(
             config: ts.config_key,
             pool_config: ts.pool_config_key,
             pool_authority: ts.pool_authority,
-            depositor: ts.admin.pubkey(),
+            withdrawer: ts.admin.pubkey(),
             liquidity_provider_mint: ts.liquidity_provider_mint,
             mint_a: ts.mint_a,
             mint_b: ts.mint_b,