Skip to content

Comments

Security Fix: Spending limit usable by removed multisig members#173

Open
AdeshAtole wants to merge 1 commit intoSquads-Protocol:mainfrom
AdeshAtole:fix/spending-limit-removed-members
Open

Security Fix: Spending limit usable by removed multisig members#173
AdeshAtole wants to merge 1 commit intoSquads-Protocol:mainfrom
AdeshAtole:fix/spending-limit-removed-members

Conversation

@AdeshAtole
Copy link

@AdeshAtole AdeshAtole commented Feb 11, 2026

Security Finding

[MEDIUM] Removed Multisig Members Retain Spending Limit Access

File: programs/squads_multisig_program/src/instructions/spending_limit_use.rs:102

Issue:
spending_limit_use validates that the caller is in spending_limit.members but does NOT verify they are still an active member of the multisig. When a member is removed from the multisig via config_transaction_execute, their key remains in any previously-assigned spending limits.

Attack:

  1. Member A is added to multisig and assigned a spending limit
  2. Member A is removed from the multisig (e.g., due to compromise)
  3. Member A can still use the spending limit to drain the vault

Fix: Added multisig.is_member(member.key()).is_some() check to enforce current multisig membership before allowing spending limit use.

Found during a Solana security audit

@AdeshAtole
fix: verify multisig membership in spending_limit_use
f04539d 
spending_limit_use only checked if the member was in the spending
limit's own member list, not whether they were still an active
multisig member. Removed members could retain vault drain access
through previously-assigned spending limits.

Added multisig.is_member() check to enforce current membership.
@vercel
Copy link

vercel bot commented Feb 11, 2026

@AdeshAtole is attempting to deploy a commit to the squads Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AdeshAtole