RE: LeoThread 2026-04-19 04-29 — Hive

You are viewing a single comment's thread from:

RE: LeoThread 2026-04-19 04-29

View the full context

divingjohn (46)in LeoFinance • last month

Avoid doxxing multi-sigs

Squads users are the target
Every co-signer, every pubkey, indexed and grindable on-chain

Offline signing provides one signature and no visible members

Multi-auth without the map

Go dark

last month in LeoFinance by divingjohn (46)

$0.00

Sort:

divingjohn (46) last month

An address-poisoning attack targeting Squads users has been identified. No evidence exists of any users being impacted at this time.

$0.00

divingjohn (46) last month

Attack vector: Because all public keys are visible on-chain, attackers are programmatically creating new multisig accounts that include existing Squads users as members. These multisigs show up in the UI since the program indexes all accounts associated with a key. Attackers are also grinding public keys that match the first and last characters of real multisig addresses, making fake accounts appear legitimate at a glance.

$0.00

divingjohn (46) last month

Attacker goal: Cause a fake multisig to be mistaken for a real one — either by copying its vault address (sending funds to an attacker-controlled account) or by getting a signer to approve a transaction they did not initiate.

$0.00

divingjohn (46) last month

Impact: None if there is no interaction. This is not a protocol vulnerability. Attackers cannot access funds, execute transactions, or modify existing multisigs. It is a UI-level social engineering attempt.

Action required:

$0.00

divingjohn (46) last month

— Do not interact with any multisig that was not created or added by the team
— Do not rely on matching only the first and last characters of an address; always verify the full address against internal records

$0.00

divingjohn (46) last month

— If legitimacy is uncertain, verify with the team before taking action
— Set Squads accounts as default to pin them at the top of the Squad list via the Squad list options

UI updates deploying in the next two hours:

$0.00

divingjohn (46) last month

— A banner alerting users to this attack
— An alert on any multisig never interacted with before

$0.00

divingjohn (46) last month

A whitelist mechanism will be deployed in the next few days so new multisig accounts initially go to a pending state requiring manual addition to the Squad list

Further updates will be shared as these rollouts occur

$0.00