Squads

Announcing Solana Multisig Tools Three new open-source tools for Squads Protocol v4. All three are small, self-hostable, and built with minimal dependencies. We're actively engaging with STRIDE to help strengthen multisig management practices on Solana. This is the first step towards multiple independent frontends and access points to v4. multisig-cli A focused Rust CLI for reviewing, simulating, signing, and executing multisig proposals. It parses multisig accounts and instructions directly instead of pulling in a large dependency tree. The result is a binary that's easy to audit and well suited for high-trust operational workflows. If you're using an older CLI, we recommend switching to this multisig-cli which has minimal dependencies. multisig-verifier A static, zero-backend browser UI. Reads multisigs state directly from Solana RPCs, decodes proposals, tracks approvals, and lets members approve or reject from their own wallet. No secrets leave the browser. Strict CSP rules by default. multisig-monitor Real-time visibility into multisig activity. Watches configured multisigs, decodes actions, and emits notifications when members create, vote on, execute, or modify configuration. Treasury and governance events surface as they happen. The pattern across all three: inspect before signing, verify before approving, monitor after execution. Smaller dependency surfaces reduce supply-chain risk. Direct decoding reduces blind signing. Open implementations are reviewable end-to-end. Monitoring closes the loop. We strongly encourage every team to verify what they're signing through more than one interface. Don't rely solely on any single frontend. Cross-check with a CLI, an independent verifier, or a second client before approving anything that matters. We're working with a number of security teams who will host their own versions of the multisig-verifier. You can self-host today. Soon teams will also be able to access independently operated instances run by parties with no affiliation to Squads. Link to the repo in the post below.

We've identified an address poisoning attack targeting Squads users. We have no evidence of any users being impacted at this time. Attack vector: Since all public keys are visible onchain, attackers are programmatically creating new multisig accounts that include existing Squads users as members. These multisigs appear in the UI because the program indexes all accounts associated with your key. Additionally, attackers are grinding public keys that match the first and last characters of your real multisig addresses, making fake accounts look legitimate at a glance. Attacker goal: Get you to mistake a fake multisig for one of your real ones — either by copying its vault address (sending funds to an attacker-controlled account) or by signing a transaction you didn't initiate. Impact: None, if you don't interact. This is not a protocol vulnerability. The attacker cannot access your funds, execute transactions, or modify your existing multisigs. It is purely a UI-level social engineering attempt. Action required: — Ignore and do not interact with any multisig you did not create or weren't added to by your team — Do not rely on matching the first and last characters of an address to verify it — always verify the full address against your own records — If you're unsure whether a multisig is legitimate, check with your team before taking any action — Set your Squads accounts as default — this pins them to the top of your Squad list, making it easy to distinguish your real accounts from anything unfamiliar. We encourage everyone to do this now if you haven't already (click on ... next to your Squad in the Squad list). UI updates shipping in the next two hours: — A banner alerting users to this attack — An alert on any multisig you've never interacted with before In the next few days we are also shipping a whitelist logic where all new multisig accounts initially go to a pending state requiring you to manually add them to your Squad list. We'll follow up here with updates as we roll these out.