Skip to main content
Sigvex

Native Discriminator Validation Remediation

How to fix missing discriminator validation in native Solana programs.

Native Discriminator Validation Remediation

Overview

Related Detector: Native Discriminator Validation

Missing account type discriminators enable type confusion. The fix is to prepend a unique discriminator byte (or bytes) to every account type and validate it before deserialization.

Before (Vulnerable)

let vault: VaultState = VaultState::try_from_slice(&data)?;

After (Fixed)

const VAULT_TAG: u8 = 1;
const USER_TAG: u8 = 2;

require!(data[0] == VAULT_TAG, InvalidAccountType);
let vault: VaultState = VaultState::try_from_slice(&data[1..])?;

Alternative Mitigations

SHA256-Based Discriminators

For stronger type safety, use 8-byte SHA256 discriminators similar to Anchor:

use solana_program::hash::hash;
let expected = &hash(b"account:VaultState").to_bytes()[..8];
require!(&data[..8] == expected, InvalidAccountType);

Common Mistakes

Mistake: Same Discriminator for Different Types

// WRONG: both account types use discriminator 1
const VAULT_TAG: u8 = 1;
const USER_TAG: u8 = 1;  // Collision!

Use unique discriminator values for every account type.

References