Native Discriminator Validation
Detects native programs deserializing account data without discriminator checks.
Native Discriminator Validation
Overview
The native discriminator validation detector identifies native (non-Anchor) Solana programs that deserialize account data without first checking a discriminator or type tag. Without validation, an attacker can pass an account of the wrong type with a matching data layout, causing type confusion that leads to misinterpreted fields, logic errors, unauthorized state manipulation, or fund theft.
For remediation guidance, see Native Discriminator Validation Remediation.
Why This Is an Issue
Solana accounts are identified by their public key, not their type. Any account can be passed to any instruction. Without a discriminator byte at the start of account data that identifies the account type, a program has no way to verify it received the correct account type. An attacker can create an account owned by the same program with a different data layout and pass it where a different type is expected, causing fields to be misinterpreted.
How to Resolve
Before (Vulnerable)
// Vulnerable: deserializes without type check
let data = account.data.borrow();
let vault: VaultState = VaultState::try_from_slice(&data)?;After (Fixed)
// Fixed: validates discriminator before deserialization
let data = account.data.borrow();
require!(data.len() >= 1, ProgramError::InvalidAccountData);
require!(data[0] == VAULT_DISCRIMINATOR, ProgramError::InvalidAccountData);
let vault: VaultState = VaultState::try_from_slice(&data[1..])?;Example JSON Finding
{
"detector": "native-discriminator-validation",
"severity": "high",
"confidence": 0.7,
"message": "Account data deserialized at offset 0 without prior discriminator check",
"location": { "function": "process", "block": 1, "statement": 3 }
}Detection Methodology
- Account data read tracking: Identifies loads from account data.
- Discriminator check detection: Searches for comparisons against expected type tags at data offset 0.
- Deserialization without validation: Flags data deserialization without preceding discriminator checks.
- Cross-block analysis: Tracks whether discriminator validation occurs in earlier blocks.
Limitations
False positives: Accounts with fixed program-owned addresses (PDAs) that cannot be substituted may be flagged. False negatives: Complex discriminator schemes using multiple bytes or hashing may not be recognized.
Related Detectors
- Anchor Discriminator Validation — Anchor-specific checks
- Non-Anchor Discriminator — instruction routing
- Type Cosplay — type confusion attacks