According to the official disclosure of Purrlend, a security incident occurred on April 25, 2026, during deployment on HyperEVM and MegaETH, resulting in a loss of approximately 1.52 million USD.

The cause was that the team’s multi-signature admin wallet was compromised, and the attacker gained multiple management permissions including BRIDGE_ROLE.
They then minted about 2 million pUSDm and 4.85 million pUSDC, among other uncollateralized tokens, through mintUnbacked, and used these as collateral to borrow real assets.
Finally, they withdrew about 1.52 million USD worth of assets from the protocol pool.
Subsequently, the attacker exchanged the assets for USDC and ETH and transferred them across chains via Mayan, LiFi, and other cross-chain protocols.
Approximately 652 ETH can still be tracked on-chain.
The project team stated that they have paused the protocol, revoked permissions, and launched an investigation, cooperating with security agencies and law enforcement to trace the funds.
They attributed the incident to operational security issues due to the lack of a time lock in the multi-signature configuration, rather than a smart contract vulnerability.
They plan to introduce a time lock, strengthen multi-signature security and permission controls, and research user compensation schemes.
The protocol will remain paused until security is confirmed.