Attack vector: Because all public keys are visible on-chain, attackers are programmatically creating new multisig accounts that include existing Squads users as members. These multisigs show up in the UI since the program indexes all accounts associated with a key. Attackers are also grinding public keys that match the first and last characters of real multisig addresses, making fake accounts appear legitimate at a glance.