According to official disclosures from Purrlend, on April 25, 2026, a security incident occurred during deployment on HyperEVM and MegaETH, resulting in a loss of approximately $1.52 million. The cause was that the team’s two-thirds multisignature admin wallet was compromised. After gaining multiple management permissions, including BRIDGE_ROLE, the attacker minted about 2 million pUSDm and 4.85 million pUSDC, which are uncollateralized tokens, and used them as collateral to borrow real assets. Ultimately, about $1.52 million worth of assets were withdrawn from the protocol pool. Afterwards, the attacker exchanged the assets for USDC and ETH and transferred them across chains via Mayan, LiFi, and other cross-chain protocols. Approximately 652 ETH can still be tracked on-chain. The project team stated that they have paused the protocol, revoked permissions, and launched an investigation. They are cooperating with security agencies and law enforcement to trace the funds. They attributed the incident to operational security issues related to multisignature configuration lacking a time lock, rather than a smart contract vulnerability. Plans include introducing a time lock, strengthening multisignature security and permission controls, and researching user compensation schemes. The protocol will remain paused until security is confirmed.