From f04539d778161efacb8ac539cd6e8c9be3fc9543 Mon Sep 17 00:00:00 2001
From: Adesh Atole <adeshatole200@gmail.com>
Date: Wed, 11 Feb 2026 20:08:21 +0000
Subject: [PATCH] fix: verify multisig membership in spending_limit_use

spending_limit_use only checked if the member was in the spending
limit's own member list, not whether they were still an active
multisig member. Removed members could retain vault drain access
through previously-assigned spending limits.

Added multisig.is_member() check to enforce current membership.
---
 .../src/instructions/spending_limit_use.rs                | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/programs/squads_multisig_program/src/instructions/spending_limit_use.rs b/programs/squads_multisig_program/src/instructions/spending_limit_use.rs
index 0d929220..5af6089f 100644
--- a/programs/squads_multisig_program/src/instructions/spending_limit_use.rs
+++ b/programs/squads_multisig_program/src/instructions/spending_limit_use.rs
@@ -96,11 +96,17 @@ impl SpendingLimitUse<'_> {
             ..
         } = self;
 
-        // member
+        // member - must be in BOTH the spending limit's member list AND the multisig's member list.
+        // SECURITY FIX: Previously only checked spending_limit.members, allowing removed
+        // multisig members to retain spending limit access.
         require!(
             spending_limit.members.contains(&member.key()),
             MultisigError::Unauthorized
         );
+        require!(
+            multisig.is_member(member.key()).is_some(),
+            MultisigError::NotAMember
+        );
 
         // spending_limit - needs no checking.