Non-Anchor Discriminator
Detects missing instruction discrimination in non-Anchor Solana programs.
Non-Anchor Discriminator
Overview
The non-Anchor discriminator detector identifies raw Solana programs that lack instruction discrimination. While Anchor programs use 8-byte SHA256-based discriminators, raw programs should still implement instruction routing to prevent instruction confusion attacks. Programs that accept instruction data without any discrimination are vulnerable to executing unexpected instruction handlers.
For remediation guidance, see Non-Anchor Discriminator Remediation.
Why This Is an Issue
Without instruction discrimination, all incoming instruction data flows to a single handler or an ambiguous routing path. An attacker can submit instruction data crafted to trigger unintended code paths, potentially executing administrative functions or bypassing security checks. This is highly prevalent in early Solana programs and custom protocols.
How to Resolve
Before (Vulnerable)
// Vulnerable: processes instruction data without discriminator routing
pub fn process_instruction(
program_id: &Pubkey,
accounts: &[AccountInfo],
instruction_data: &[u8],
) -> ProgramResult {
// No routing -- all data goes to one handler
process_data(accounts, instruction_data)
}After (Fixed)
// Fixed: explicit instruction routing via discriminator byte
pub fn process_instruction(
program_id: &Pubkey,
accounts: &[AccountInfo],
instruction_data: &[u8],
) -> ProgramResult {
let (tag, rest) = instruction_data.split_first()
.ok_or(ProgramError::InvalidInstructionData)?;
match tag {
0 => process_deposit(accounts, rest),
1 => process_withdraw(accounts, rest),
2 => process_admin(accounts, rest),
_ => Err(ProgramError::InvalidInstructionData),
}
}Example JSON Finding
{
"detector": "non-anchor-discriminator",
"severity": "medium",
"confidence": 0.6,
"message": "Instruction data processed without discriminator routing",
"location": { "function": "process_instruction", "block": 0, "statement": 1 }
}Detection Methodology
- Entry point analysis: Identifies the program entry point and instruction data handling.
- Discriminator pattern search: Looks for branch/match operations on the first bytes of instruction data.
- Anchor detection exclusion: Skips programs that use Anchor’s 8-byte discriminator pattern.
- Routing coverage: Verifies that all instruction paths include a discriminator check.
Limitations
False positives: Programs with a single instruction that intentionally process all data uniformly. False negatives: Custom routing mechanisms that use instruction data offsets other than the first byte.
Related Detectors
- Anchor Discriminator Validation — Anchor discriminator issues
- Native Discriminator Validation — account discriminators
- Instruction Data Parsing — data parsing issues