Purrlend experiences security incident, loss of $1.52 million

ME News Report, May 1st (UTC+8), according to Purrlend’s official disclosure, on April 25, 2026, a security incident occurred during deployment on HyperEVM and MegaETH, resulting in a loss of approximately $1.52 million. The cause was that more than two-thirds of the team’s multi-signature admin wallets were compromised. After gaining multiple management permissions, the attacker minted about 2 million pUSDm and 4.85 million pUSDC, which are uncollateralized tokens, through mintUnbacked, and borrowed real assets, ultimately extracting about $1.52 million worth of assets from the protocol pool. Afterwards, the attacker exchanged the assets for USDC and ETH, and through cross-chain transfers, approximately 652 ETH can still be tracked on-chain. The project team stated that they have paused the protocol, revoked permissions, and launched an investigation, cooperating with security agencies and law enforcement to trace the funds. They attributed the incident to security issues related to the lack of a time lock in the multi-signature configuration. The project plans to introduce time locks, strengthen multi-signature security and permission controls, and explore user compensation schemes. The protocol will remain paused until security is confirmed. (Source: MLion)