Lending protocol Purrlend lost $1.52 million across its HyperEVM and MegaETH deployments on April 25, pausing its protocol while investigators track wallets that have been identified but not recovered , the latest incident in what is now the worst month for DeFi security in the industry's history.
By the standards of April 2026, $1.52 million barely registers. The month began on April 1 with the Drift Protocol exploit, which drained $280 million from the Solana-based perpetuals platform and appeared to open a season of attacks that has not closed. On April 18, KelpDAO suffered the largest single DeFi exploit of the year , $293 million in rsETH siphoned through a flaw in a LayerZero bridge validator setup in 46 minutes, triggering a $10 billion ecosystem-wide bank run that cascaded through Aave and Compound. Total DeFi losses for April have now crossed $800 million as Purrlend's exploit pushes the month's running tally past the $606 million figure that Blockonomi had already called the worst in DeFi history earlier this week. Purrlend is not the story of the month. It is the most recent chapter of it.
On April 25, Purrlend confirmed it detected irregular activity across its deployments on both HyperEVM and MegaETH and paused the protocol while it investigates. On-chain analyst kirbyongeo broke down the damage in granular detail. From HyperEVM, the attacker drained $1.2 million: 449,683 USDC, 214,125 USDT0, and 194,745 USDH , all dollar-pegged stablecoins , along with smaller amounts of UBTC, a tokenized version of Bitcoin, and the network tokens wstHYPE, UETH, kHYPE, and WHYPE. From MegaETH, the attacker took an additional $324,549 in USDT0, wrapped Ethereum, and USDm. The exploiter's wallet addresses have been identified on both chains' public block explorers. Nothing has been recovered.
Purrlend operates as a non-custodial lending and borrowing protocol on both networks, allowing users to deposit crypto assets, earn interest, or borrow against their holdings. The protocol's High Efficiency Mode feature, which enables 90% loan-to-value ratios on correlated asset pairs, is designed for capital efficiency , exactly the kind of concentrated leverage that amplifies losses when collateral accounting fails. The specific attack vector has not been disclosed by the team, which is standard practice during an active investigation to prevent copycat exploits on related protocols.
\h2>Why the Timing Matters for MegaETH
MegaETH is a relatively new high-throughput EVM chain designed for speed, and it is scheduled to conduct its public token launch on April 30 , five days from the date of this exploit. A security incident on MegaETH less than a week before a major token generation event is not good timing for a project trying to attract liquidity and users ahead of a launch that the crypto community has been anticipating for months. The exploit does not implicate MegaETH's core infrastructure , Purrlend is an application built on top of the chain, not the chain itself , but the distinction gets muddled in a market where user perception of an ecosystem's safety depends on the worst incident associated with it, regardless of which layer the incident actually occurred on.
HyperEVM has a more established but equally complicated security history. It is the smart contract execution layer of Hyperliquid, the decentralized trading platform that has become one of the most actively used DeFi protocols. The Hyperliquid ecosystem has experienced a series of security incidents since the HyperEVM launch: a $400,000 NFT wallet compromise in September 2025, the $773,000 HyperDrive exploit, a $3.6 million HyperVault exit scam, a $13.5 million JELLY token manipulation in March 2026, and the HypurrFi domain hack that froze $30 million in TVL in April. Purrlend's $1.2 million drain on HyperEVM adds to a pattern that has become difficult for ecosystem defenders to dismiss as isolated incidents.
The Month's Bigger Security Picture
April 2026's DeFi loss tally traces the anatomy of an industry-wide security failure across multiple attack vectors. The Drift exploit involved whitelisting a fabricated token as collateral before draining real assets , a playbook that Rhea Finance's $7.6 million loss replicated two weeks later. The Kelp DAO exploit weaponized a single-validator trust assumption in a LayerZero bridge, an architectural risk that multiple security researchers had flagged publicly before the attack. Resolv Labs lost $25 million after attackers exploited cloud infrastructure to mint 80 million unbacked USR tokens, triggering a depeg that spread losses to interconnected protocols including Morpho Blue and Euler. Silo Finance lost $392,000 to a misconfigured oracle. Dango lost $410,000 to a bridge aggregator bug.
The pattern that emerges across these incidents is not a single dominant attack vector but a distributed set of weaknesses , oracle design, bridge validator assumptions, token whitelisting logic, cloud infrastructure , being exploited simultaneously by a threat actor community that is clearly sharing information and techniques faster than protocol teams are patching them. Intellectia AI's analysis noted that while traditional smart contract coding errors have decreased by 89% due to improved auditing standards, new attack classes targeting cross-chain messages, social engineering, and oracle manipulation now account for the bulk of losses. Auditing a smart contract's code is no longer sufficient. The security perimeter has expanded to include every system the protocol touches, and that perimeter is very large.
For users currently holding assets in DeFi protocols on newer chains, Purrlend's pause is a practical reminder that protocol suspension is now the standard emergency response. The assets are frozen, not necessarily lost , but the distinction depends entirely on whether the team can identify the vulnerability, whether the attacker has already bridged the funds beyond recovery, and whether the protocol has treasury reserves to compensate affected depositors. On all three of those questions, Purrlend's investigation is ongoing.
Also read: Some crypto chains raised $613 million and made $1,568 in a day. That gap tells you everything. • The US froze $344 million in Tether in a single phone call to Paolo Ardoino • France's crypto kidnapping epidemic and a 19 million record data leak are two sides of the same security failure
