Squads (RT Squads): Probe into the @DriftProtocol incident continues; preliminary findings point to two compromised admin multisig signers

Squads update: Our investigation into the @DriftProtocol incident is still underway. Early indicators suggest two signers on Drift's admin multisig were compromised and used to execute a transaction that altered Drift's program configuration. The Squads programs were not compromised. We also have not seen evidence of a breach of Squads infrastructure, and we are continuing work to confirm this with full confidence. We will share additional findings as they become available. Best practices for operationally critical multisigs Thresholds: Any multisig with operational or administrative control over a program should use a signing threshold of 3+ to force an attacker to compromise multiple independent signers at the same time. Where feasible, distribute signers geographically and across organizations. Co-located signers, shared devices, or shared org structures create correlated risk. Timelocks: Multisigs with program-level control should enable a timelock (available in the Settings of your Squads multisig). A timelock doesn't stop a malicious proposal from being created, but it provides time to detect and reject it before execution. The tradeoff is slower response time during legitimate emergencies such as bugs or active exploits. Alerts & monitoring: We recommend monitoring and alerts for all operationally critical multisigs via our security partner @RangeSecurity. Range offers (1) an independent interface to verify transaction contents outside the Squads UI and (2) proactive Slack alerts so signers are notified before a proposal advances. If you'd like help getting set up, reach out and we'll connect you directly. A high threshold, a timelock, and monitoring form the baseline for any multisig with program-level control. Signing process: Use dedicated devices and hardware wallets for signing, not general-purpose machines. Signatures are valid for about 2 minutes, so introduce at least a 2-minute delay between each signer's actions to reduce the risk that an attacker can collect and bundle signatures. Independently verify transaction content using all three sources: the Squads UI, Range's interface, and Solana Explorer or Solscan. Durable nonces: The Drift attack leveraged durable nonces to gather signatures without time pressure, bypassing the standard ~2-minute transaction expiry that would otherwise constrain this attack path. We are exploring ways to block durable nonce usage across all of our programs at the program level and through additional enforcement mechanisms, with the goal of extending this protection to our immutable programs V3 and V4, as well as our current Smart Account Program. More broadly, the Solana ecosystem is also moving to address this at the protocol level with a new transaction format that removes durable nonces entirely. We'll share more soon. Beyond multisig: operational security Technical controls have limits. Many recent high-profile compromises have stemmed from social engineering aimed at the people holding keys rather than the contracts themselves. If your protocol operations are mission-critical, invest in internal opsec processes and culture: how proposals are initiated, communicated, and approved matters. We recommend working with dedicated security advisors. @zeroshadow_io and @0xGroomLake are trusted starting points, and we're happy to facilitate introductions.