fbslo@fbsloXBT
I don't like to FUD competitors, and also didn't want to see Purrlend go down this way (I even reported one (different) critical security issue to them recently), but the timing of multisig txs makes this look very much like an inside job.
There are 3 signers (0x731, 0xB48, 0x2Bc) on their multisig.
0x731 and 0x2Bc signed the malicious transaction.
The founder claims his address wasn't involved, which leaves 0xB48 as his address.
But if we look at the Safe audit log, we can see that all usual transactions (on both HypeEVM and MegaETH) are signed by 0x731 and 0xB48, with less than one minute between them (20-40 seconds on average).
As someone who has significant experience coordinating high-security multisigs, I can confidently say that it's literally impossible for multiple people to sign in such a short time. Once, maybe, but not every single transaction. Especially not between the first-second signature, where the creator needs to notify other signers before they can sign.
This means 0x731 and 0xB48 are almost certainly the same person.
And we know 0xB48 is the founder (from his Discord message)...
So, in the best-case scenario, they are lying about how many (real) signers are on the multisig. Add the multiple username changes and other shady behaviors...
(signing on the attack txs also follows the same pattern, with 33 and 48 seconds between signers)
The "compromised signing device sending fake data to HW" attack type also seems unlikely, considering the attack tx was at a very unusual time (3 AM CET, only tx in their multisig ever signed at CET night).
