Instruction Fallback Handler
Detects unsafe fallback logic for unrecognized instruction discriminators that may allow attackers to execute unintended code paths.
Instruction Fallback Handler
Overview
Remediation Guide: How to Fix Instruction Fallback Handler
The instruction fallback handler detector identifies Solana programs that accept unrecognized instruction discriminators without returning an error. When a program reads the first byte of instruction data as a discriminator but either never validates it, or validates it with a default path that continues execution instead of erroring, attackers can invoke unintended code paths.
This detector covers three distinct patterns: entry points that never read a discriminator, discriminators that are read but never checked in a conditional branch, and discriminators that are checked but have a fallback path that silently continues execution rather than returning an error.
Why This Is an Issue
An unsafe fallback handler allows an attacker to send any discriminator value and reach code that was never intended to be publicly callable. This can bypass access control checks tied to specific instruction types, execute administrative operations through unvalidated paths, or cause the program to silently accept and process garbage instructions. The most severe variant — where both branches of a discriminator check continue execution — effectively makes the discriminator validation meaningless.
How to Resolve
pub fn process_instruction(
_program_id: &Pubkey,
accounts: &[AccountInfo],
instruction_data: &[u8],
) -> ProgramResult {
if instruction_data.is_empty() {
return Err(ProgramError::InvalidInstructionData);
}
let discriminator = instruction_data[0];
match discriminator {
0 => handle_initialize(accounts, &instruction_data[1..]),
1 => handle_transfer(accounts, &instruction_data[1..]),
2 => handle_close(accounts, &instruction_data[1..]),
_ => Err(ProgramError::InvalidInstructionData), // Always error on unknown
}
}Examples
Vulnerable Code
pub fn process_instruction(
_program_id: &Pubkey,
accounts: &[AccountInfo],
instruction_data: &[u8],
) -> ProgramResult {
let discriminator = instruction_data[0];
if discriminator == 0 {
handle_initialize(accounts, instruction_data)?;
}
// Falls through for ANY other discriminator value -- executes whatever follows
do_something_dangerous(accounts)
}Fixed Code
pub fn process_instruction(
_program_id: &Pubkey,
accounts: &[AccountInfo],
instruction_data: &[u8],
) -> ProgramResult {
let discriminator = instruction_data[0];
match discriminator {
0 => handle_initialize(accounts, &instruction_data[1..]),
_ => Err(ProgramError::InvalidInstructionData),
}
}Sample Sigvex Output
[CRITICAL] Unsafe Fallback Handler for Unknown Instructions
Location: process_instruction
Description: Instruction discriminator is validated but both branches
continue execution without erroring on unrecognized values.
CWE: CWE-749 (Exposed Dangerous Method)Detection Methodology
- Discriminator read identification: Locates assignments that load the first byte of instruction data (offset 0), which conventionally holds the instruction discriminator.
- Branch analysis: Tracks whether the discriminator variable appears in conditional comparisons. If it is read but never compared, the detector flags missing validation.
- Fallback path verification: For discriminators that are compared, the detector checks whether the false branch (unknown discriminator) terminates with an error or continues execution. Both branches continuing execution triggers a critical-severity finding.
- Entry point check: Dispatch entry points (
entrypoint,process_instruction,main) that contain no discriminator read are flagged at medium severity.
Limitations
False positives: Programs using unconventional dispatch mechanisms (e.g., hash-based routing, multi-byte discriminators) may be flagged if the detector does not recognize the validation pattern. Anchor programs receive significantly reduced confidence because Anchor uses 8-byte SHA-derived discriminators with automatic error handling. False negatives: Custom dispatch logic that stores the discriminator in a non-standard variable may not be tracked.
Related Detectors
- Instruction Data Parsing Edge Cases — detects broader parsing safety issues
- Instruction Verification Pattern — detects incorrect ordering of validation and operations