Anchor Discriminator Validation Remediation

Overview

Related Detector: Anchor Discriminator Validation

Missing discriminator validation enables type confusion attacks. The fix is to always validate the 8-byte discriminator before deserializing account data, or use Anchor’s Account<'info, T> type which handles this automatically.

Recommended Fix

Before (Vulnerable)

let data = account.data.borrow();
let vault: Vault = Vault::deserialize(&mut &data[..])?;

After (Fixed)

// Option 1: Use Anchor Account type (preferred)
pub vault: Account<'info, Vault>,  // Auto-validates discriminator

// Option 2: Manual check
let data = account.data.borrow();
let discriminator = &data[..8];
require!(discriminator == Vault::DISCRIMINATOR, ErrorCode::InvalidDiscriminator);
let vault: Vault = Vault::deserialize(&mut &data[8..])?;

Alternative Mitigations

AccountLoader for Zero-Copy

For large accounts using zero-copy deserialization, use AccountLoader:

pub vault: AccountLoader<'info, Vault>,  // Also validates discriminator

Common Mistakes

Mistake: Deserializing from Offset 0

// WRONG: includes discriminator bytes in deserialization
let vault: Vault = Vault::try_from_slice(&data)?;  // 8 extra bytes corrupt fields

When manually deserializing, skip the first 8 bytes: &data[8..].

References

• Anchor — Account Discriminators
• CWE-843: Access of Resource Using Incompatible Type