Anchor Discriminator Validation
Detects missing or incorrect Anchor discriminator validation.
Anchor Discriminator Validation
Overview
The Anchor discriminator validation detector identifies missing or incorrect discriminator checks on account deserialization. Anchor uses 8-byte discriminators derived from sha256("account:<AccountName>") to distinguish account types. Missing checks enable type confusion and instruction confusion attacks.
For remediation guidance, see Anchor Discriminator Validation Remediation.
Why This Is an Issue
Without discriminator validation, an attacker can pass an account of one type where another type is expected. If two account types share a similar data layout, the program interprets the data incorrectly, leading to unauthorized state manipulation or fund theft. Manual deserialization that skips discriminator validation is particularly dangerous.
How to Resolve
Before (Vulnerable)
// Vulnerable: manual deserialization without discriminator check
pub fn process(accounts: &[AccountInfo]) -> ProgramResult {
let data = accounts[0].data.borrow();
let vault: Vault = Vault::deserialize(&mut &data[..])?; // No discriminator check
// Attacker can pass any account with matching layout
Ok(())
}After (Fixed)
// Fixed: use Anchor's Account type which auto-checks discriminator
#[derive(Accounts)]
pub struct Process<'info> {
pub vault: Account<'info, Vault>, // Discriminator checked automatically
}Example JSON Finding
{
"detector": "anchor-discriminator-validation",
"severity": "high",
"confidence": 0.7,
"message": "Account data deserialized without discriminator validation",
"location": { "function": "process", "block": 0, "statement": 2 }
}Detection Methodology
- Discriminator load detection: Identifies 8-byte loads from account data offset 0.
- Comparison analysis: Checks for comparisons of loaded discriminators against expected values.
- Account data access tracking: Flags account data reads without preceding discriminator checks.
- Collision risk assessment: Detects accounts with similar discriminator prefixes.
Limitations
False positives: Programs with custom discriminator schemes that use different byte counts. False negatives: Discriminator checks in separate utility functions may not be traced to the account access.
Related Detectors
- Non-Anchor Discriminator — non-Anchor instruction routing
- Native Discriminator Validation — native program discriminators
- Account Type Confusion — type mismatch attacks