Futures
Access hundreds of perpetual contracts
CFD
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
CFD
Stock CFD Derivatives
US Stocks
Access real US stocks and ETFs
HK Stocks
Trade quality Hong Kong-listed stocks
Korean Stocks
SK Hynix
Real Korean stocks and top assets
Stock Futures
High leverage, 24/7 trading
Tokenized Stocks
Backed by real stock assets
IPO Access
Unlock full access to global stock IPOs
GUSD
3.8%
Mint GUSD for Treasury RWA yields
Stocks Activities
Trade Popular Stocks and Unlock Generous Airdrops
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
IPO Access
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
Squads Sounds Alarm on Address Poisoning Scheme Hitting Solana Multisig Users
Squads has flagged an active address poisoning attack targeting Solana multisig users. No funds lost yet, but the threat is real and growing fast.
Squads, the leading multisig platform on Solana, went public Monday with a security warning that most users probably weren’t expecting to wake up to. An address poisoning attack is actively targeting its user base. No funds have been lost.
Not yet, anyway.
According to @multisig on X, attackers are exploiting how Solana indexes public on-chain data. Because every public key and its associated accounts are visible onchain, bad actors are programmatically spinning up new multisig accounts that include real Squads users as members. Those fake accounts show up in the Squads UI.
The Trick Is Subtle But Effective
The attack doesn’t need a protocol bug to work. It doesn’t need your private keys either.
What it needs is your attention to slip, just once. As @multisig explained in the post, attackers are also grinding public keys that match the first and last characters of real Squads vault addresses. That makes a fake account look indistinguishable from a real one at a glance. The goal is simple: get users to copy a vault address that belongs to the attacker, then send funds there.
Or sign a transaction they never created.
The address poisoning playbook isn’t new. What’s different here is the multisig angle. Attackers aren’t poisoning a wallet history with a lookalike transfer. They’re injecting fake multisig accounts directly into a user’s Squad list, making them appear as if they belong there.
No Protocol Breach, But the Risk Is Real
Squads was direct about the scope of the threat. The attacker cannot execute transactions, cannot touch existing multisigs, and cannot move funds without user action. It is, as @multisig put it in the X post, “purely a UI-level social engineering attempt.”
That framing matters. This is not a hack in the traditional sense. But social engineering has cost users far more than most protocol exploits ever have.
In the hours after the announcement, Squads said UI updates were shipping within two hours. A warning banner alerting users to the attack was one of them. The platform also said an alert would appear on any multisig a user had never interacted with before. Both changes went out to help users separate real accounts from injected fakes faster.
Longer-term, @multisig confirmed a whitelist system is coming within days. New multisig accounts will start in a pending state and require manual approval before appearing in a user’s Squad list. That effectively cuts out the attack vector at the UI level.
What Squads Told Users to Do Right Now
The platform gave its users four clear steps. First, ignore and do not interact with any multisig you didn’t create or weren’t added to by your team. Second, stop relying on matching just the first and last characters of a wallet address to verify it. That partial check is exactly what attackers are counting on.
Third, if anything looks off, check with your team before signing anything. Fourth, and the one Squads pushed hardest: set your real accounts as default. That pins them to the top of the Squad list, making impostors easier to spot. Users can do that by clicking the three-dot menu next to their Squad.
Fake address detection tools are becoming a standard response to this category of threat. Squads is building one directly into its workflow.
The team said it will continue posting updates on X as fixes roll out.