Purrlend Loses $1.5M as Community Points to Inside Job on HyperEVM

The Purrlend exploit wiped out the protocol’s entire TVL on April 25, 2026. A DeFi lending platform built on HyperEVM and MegaETH, Purrlend saw its total value locked collapse from $1.53 million to just $443 in a single day. The protocol paused operations hours after the drain began.

On-chain data traced the full damage fast. According to @kirbyongeo on X, the attacker pulled 449,683.8748 USDC, 214,125.3752 USDT0, and 194,745.1368 USDH from HyperEVM alone. That network’s total haul came to $1,197,488.33. MegaETH lost an additional $324,549.49, bringing the grand total to $1,522,037.82. The exploiter’s address is publicly visible on both HyperEVM scan and MegaETH’s explorer.

Admin Multisig Added the Attacker Hours Before

The sequence is what makes this case different from a standard smart contract bug. According to @fbsloXBT on X, Purrlend’s admin multisig — a 2-of-3 setup with no timelock — added the exploiter’s address as a “bridge” roughly eight hours before the drain. That bridge role was inherited from an older Aave version still active in Purrlend’s codebase. It gave the address the ability to mint unbacked tokens. Then the drain happened.

As @Darkfost_Coc noted on X, multiple assets were affected across the broad protocol, and reports point to the attacker being added by the admin multisig itself, potentially granting access to mint tokens without any real collateral backing them. No timelock. No delay. No window for anyone watching the chain to flag it in time.

@wiseadvicesumit on X broke it down without hedging:

“This wasn’t a hack. This was a rug with extra steps.”

The same post noted the exploiter’s addresses were already public and that funds had not moved yet at the time of writing.

The Community Is Not Waiting for an Investigation

Purrlend posted a statement through its official account, @purrlend on X, confirming it detected irregular activity and had paused the protocol. The team asked users to proceed with caution and promised updates.

The response from the community was blunt. @jennylau998998 on X wrote that posts across the platform were pointing to an inside job, adding that pretending to investigate was pointless. The sentiment was shared widely.

@argsaraus on X posted that the message then visible was likely the last thing the project would ever say publicly.

None of those accounts presented on-chain proof of who specifically controlled the multisig keys. But the transaction record showing the exploiter added as a permissioned role hours before the drain sits in public blockchain data. That part is not disputed.

What Was Taken and What It Means for HyperEVM

The asset list from HyperEVM included $wstHYPE, $kHYPE, $WHYPE, $UBTC, and $UETH alongside the stablecoin positions. These are native ecosystem tokens tied to the Hyperliquid network. Their presence in the haul means the damage extended beyond stablecoins into tokens that represent staked and wrapped positions within the HyperEVM ecosystem specifically.

MegaETH’s losses of $324,549 included 163,169.1587 USDT0, 36.8639 WETH, and 75,745.4505 USDm. MegaETH, an Ethereum layer-2 network that launched its public mainnet in February 2026, was still building its security reputation when this happened.

The Purrlend exploit is part of a wider pattern. April 2026 has already seen over $600 million drained from DeFi protocols in 18 days. KelpDAO and Drift Protocol account for the bulk of that, with combined losses near $577 million. The Purrlend case is smaller by comparison but sharper in terms of governance failure. A 2-of-3 multisig without a timelock gave two keyholders the ability to add a malicious address and execute a full drain before anyone outside could react.

Whether that was a coordinated insider move or a compromised keyholder from outside, the structural problem is the same. No timelock. No delay. No protection.