Purrlend Exploit Drains $1.5M on HyperEVM and MegaETH

Purrlend, a lending protocol built on HyperEVM and MegaETH, suffered a major exploit that drained approximately $1.5 million across both networks. The breach traces back to a suspicious admin multisig transaction that granted unauthorized bridge privileges hours before the attack.

According to reports, a key transaction occurred at 1:20 a.m. UTC on April 25, 2026. The admin multisig updated borrowing caps and assigned roles to an unknown address. That address later received bridge privileges, enabling unbacked token minting—tokens were minted without any actual collateral backing them. This type of access is highly sensitive in DeFi lending systems, and granting it to an unverified address opened the door for mass fund extraction.

Purrlend confirmed on its official account that it detected irregular activity and stated the protocol was paused, with further updates to follow. No additional technical breakdown has been released yet.

On-chain analyst kirbycrypto broke down the stolen assets in detail. HyperEVM suffered the larger hit, losing $1,197,488 in total, including 449,683 USDC, 214,125 USDT0, 194,745 USDH, and other assets like wstHYPE, UBTC, UETH, kHYPE, and WHYPE. MegaETH recorded losses of $324,549, with attackers taking 163,169 USDT0, 36.8 WETH, and 75,745 USDm. Combined, the total reached approximately $1.52 million.

The assets targeted were primarily stablecoins and wrapped tokens, which are typically high-liquidity targets in DeFi exploits due to their ease of movement across chains.

Community members responded with frustration, with several users pointing to prior red flags, including heavy promotion of the protocol right before MegaETH’s token event. Others called it a potential inside job, though no proof has confirmed that claim. No funds have been recovered so far, and the investigation remains ongoing.

This incident adds to a difficult stretch for the DeFi sector, with April alone seeing over $600 million in losses from various attacks and exploits. The pattern has raised broader concerns about access control in DeFi governance structures.