SVM Remediation April 6, 2026 1 min read

Native Discriminator Validation Remediation

How to fix missing discriminator validation in native Solana programs.

svmaccess-control

Native Discriminator Validation Remediation

Overview

Related Detector: Native Discriminator Validation

Missing account type discriminators enable type confusion. The fix is to prepend a unique discriminator byte (or bytes) to every account type and validate it before deserialization.

Recommended Fix

Before (Vulnerable)

let vault: VaultState = VaultState::try_from_slice(&data)?;

After (Fixed)

const VAULT_TAG: u8 = 1;
const USER_TAG: u8 = 2;

require!(data[0] == VAULT_TAG, InvalidAccountType);
let vault: VaultState = VaultState::try_from_slice(&data[1..])?;

Alternative Mitigations

SHA256-Based Discriminators

For stronger type safety, use 8-byte SHA256 discriminators similar to Anchor:

use solana_program::hash::hash;
let expected = &hash(b"account:VaultState").to_bytes()[..8];
require!(&data[..8] == expected, InvalidAccountType);

Common Mistakes

Mistake: Same Discriminator for Different Types

// WRONG: both account types use discriminator 1
const VAULT_TAG: u8 = 1;
const USER_TAG: u8 = 1;  // Collision!

Use unique discriminator values for every account type.

References

Sealevel Attacks — Type Cosplay
CWE-843: Access of Resource Using Incompatible Type

SVM Detector

Native Discriminator Validation

Detects native programs deserializing account data without discriminator checks.

Back to Knowledge Base

Use the Sign In button in the navigation bar.

Sigvex

Advanced bytecode decompilation and security analysis across multiple runtimes. Detect vulnerabilities, exploits, and reverse-engineer smart contracts directly on-chain.

Product

Features
How It Works
Pricing

Resources

Knowledge Base
Research
Blog

Company

About
Contact
Security

Legal

Terms of Service
Privacy Policy
Cookie Policy
Acceptable Use

Built for developers, by developers.