Borsh (Binary Object Representation Serializer for Hashing) is the standard serialization format used across the Solana ecosystem. It converts Rust data structures to and from compact binary representations that are stored in on-chain accounts. Unlike JSON or other text-based formats, Borsh produces deterministic output—the same data always serializes to the exact same bytes—which is critical for hashing and on-chain verification.

Why Solana uses Borsh

Solana's SVM is stateless: programs do not retain state between executions. All persistent data lives in accounts as raw bytes. Borsh provides the bridge between structured Rust types and these raw byte arrays with three guarantees:

1. Determinism: Identical inputs always produce identical byte sequences
2. Efficiency: Minimal overhead compared to JSON or Protobuf
3. Schema awareness: Types define their own serialization layout, enabling schema generation and cross-language compatibility

Type cosplay vulnerability

One of the most critical security risks related to Borsh is type cosplay. Because Borsh does not embed type identifiers in the serialized output, a program that deserializes account data without verifying the account's discriminator can be tricked into interpreting one data structure as another.

For example, if an AdminConfig struct and a UserProfile struct have overlapping byte layouts, an attacker could pass a UserProfile account where an AdminConfig is expected, potentially escalating privileges.

The Anchor framework mitigates this by prepending an 8-byte discriminator (derived from the struct name's SHA-256 hash) to all account data, but native programs must implement this check manually.

Audit considerations

When auditing Solana programs that use Borsh, security researchers should verify:

• Account discriminators are checked before deserialization
• Struct field ordering matches across all program versions (field reordering breaks deserialization)
• Variable-length fields (like Vec and String) have bounded lengths to prevent excessive allocation
• Client-side TypeScript serialization matches on-chain Rust expectations

Borsh is a foundational component of Solana's data model, and understanding its mechanics is essential for identifying serialization-related vulnerabilities during audits.