gm @purrlend @0xmil0, do we have any news from the hacker?

I personally suffered a significant loss with this one, hopefully the hacker which left several traces won't want to ruin his life with potential theft crime case and the funds with some sort of whitehat bounty will be returned DeFi can do better

How @purrlend @0xmil0 exploited 1,5M$ and possibly more with his previous project with the help of several large crypto companies and insiders, including @merkl_xyz @VB_Audit even mentions from @bread_ & @megaeth, alongside @0xmil0 previous project Ploutos:

I don't like to FUD competitors, and also didn't want to see Purrlend go down this way (I even reported one (different) critical security issue to them recently), but the timing of multisig txs makes this look very much like an inside job. There are 3 signers (0x731, 0xB48, 0x2Bc) on their multisig. 0x731 and 0x2Bc signed the malicious transaction. The founder claims his address wasn't involved, which leaves 0xB48 as his address. But if we look at the Safe audit log, we can see that all usual transactions (on both HypeEVM and MegaETH) are signed by 0x731 and 0xB48, with less than one minute between them (20-40 seconds on average). As someone who has significant experience coordinating high-security multisigs, I can confidently say that it's literally impossible for multiple people to sign in such a short time. Once, maybe, but not every single transaction. Especially not between the first-second signature, where the creator needs to notify other signers before they can sign. This means 0x731 and 0xB48 are almost certainly the same person. And we know 0xB48 is the founder (from his Discord message)... So, in the best-case scenario, they are lying about how many (real) signers are on the multisig. Add the multiple username changes and other shady behaviors... (signing on the attack txs also follows the same pattern, with 33 and 48 seconds between signers) The "compromised signing device sending fake data to HW" attack type also seems unlikely, considering the attack tx was at a very unusual time (3 AM CET, only tx in their multisig ever signed at CET night).

Purrhack is live. A community-run transparency page for affected @purrlend users. You can: search your wallet review the preliminary claim snapshot download the data submit corrections This is not affiliated to @purrlend Link in bio.