Purrlend Exploit — April 25, 2026 Post-Mortem (Aggregated)
The Incident
On April 25, 2026, Purrlend — a decentralized lending and borrowing protocol deployed simultaneously on HyperEVM and MegaETH — was drained of approximately $1.52 million in a coordinated dual-network attack. The protocol paused all activity while investigators tracked the attacker's wallets.
Loss Breakdown
• HyperEVM: $1,197,488 — including 449,683 USDC, 214,125 USDT0, and 194,745 USDH.
• MegaETH: $324,549 — including 163,169 USDT0, 36.8 WETH, and 75,745 USDm.
How the Attack Worked
At approximately 1:20 a.m. UTC on April 25, Purrlend's admin multisig executed a suspicious transaction that updated borrowing caps and assigned a new "bridge" role to an unknown address. Roughly eight hours later, that same address used its newly-granted bridge privileges to mint unbacked tokens and drain the protocol's collateral pools across both chains. Tokens were minted without any actual collateral backing them.
The Core Technical Issue
Purrlend's admin multisig was 2-of-3 with no timelock. Once two signers were either compromised (via key leak or social engineering) or otherwise convinced to sign a malicious privilege-grant transaction, the attacker received bridge-role authority instantly with no review window. This meant a single multisig action could grant unbacked-mint authority and the attacker had no on-chain delay to be detected.
Cross-Chain Aspect
The simultaneous drain on two L2s (HyperEVM and MegaETH) suggests the attacker pre-positioned helper contracts on both chains and triggered the exploit in parallel once the privilege-grant transaction confirmed. The pattern matches a single-actor or coordinated-team operation rather than independent opportunists.
Response
Purrlend paused both deployments. The team identified attacker addresses but had not recovered the funds at time of reporting. The incident was added to April 2026's tally that pushed the month's total DeFi losses past $800 million.