The Solana-based multisig protocol Squads has issued a security alert regarding a surge in address poisoning attacks targeting its user base. According to a statement released on April 14, 2026, malicious actors are attempting to deceive participants by creating fraudulent multisig accounts that mimic legitimate ones. While the team confirms that no funds have been lost and the protocol itself remains secure, the incident highlights a sophisticated social engineering tactic designed to exploit user oversight during transaction signing and asset transfers.
Mechanism of the Address Poisoning Exploit
The attack leverages the transparency of the Solana blockchain to identify active public keys. Attackers programmatically generate new multisig accounts, adding existing Squads users as members without their consent. To increase the deception, the perpetrators use key collision techniques to create addresses that share the same prefix and suffix characters as the user's authentic multisig.
Address poisoning relies on the common habit of users checking only the first and last few characters of a wallet address rather than the entire alphanumeric string.
The primary objectives of these attackers include:
- Attempting to trick users into depositing assets into the forged multisig accounts.
- Deceiving members into signing unauthorized or malicious transactions.
- Cluttering the user interface to induce confusion and human error.
Protocol Integrity and Future Safety Measures
Squads has clarified that this activity does not represent a smart contract vulnerability or a breach of the protocol's security architecture. The core logic of existing multisigs remains intact, and unauthorized parties cannot access assets held within legitimate vaults.
This is purely an interface-level social engineering attack. Attackers cannot access user funds or modify existing multisigs.
To mitigate these risks moving forward, the development team has announced the upcoming launch of a whitelisting mechanism. This feature will allow users to filter their dashboard and interact only with verified or manually approved multisig accounts, effectively neutralizing the visibility of "poisoned" addresses.
In the interim, the protocol advisors urge the community to adhere to strict security protocols:
- Verify the full address of any multisig before initiating a transfer or signature.
- Ignore any new multisig accounts that were not explicitly created by known team members.
- Utilize block explorers to confirm the history and legitimacy of an account.
As the Solana ecosystem continues to grow, such interface-level attacks are becoming more prevalent. Users are reminded that maintaining operational security (OpSec) and double-checking on-chain data are essential practices in decentralized finance. Squads continues to monitor the situation and will provide updates as the new security features are integrated into the platform.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.