Huma Finance Legacy V1 Contract on Polygon Exploited for $101,400 in USDC
A logic vulnerability in Huma’s outdated V1 Polygon credit pools allowed an attacker to siphon off approximately $101,400 in USDC, yet its Solana-based PayFi V2 and PST token remain structurally intact.
Summary
- Huma reported that outdated V1 BaseCreditPool contracts on Polygon were exploited for around $101,400 in USDC and USDC.e during the winding down process, while the current PayFi V2 on Solana remained unaffected.
- Blockaid identified the loss as a result of a refreshAccount() logic flaw that erroneously marked borrowers as “GoodStanding” without necessary validations, enabling the attacker to withdraw from treasury-linked pools in a single scripted transaction.
- All remaining V1 contracts on Polygon have now been suspended, with Huma affirming that ongoing deposits and PST positions on Solana’s restructured, permissionless PayFi platform are distinct from the vulnerable V1 code.
Huma Finance announced that its outdated V1 contracts on Polygon were compromised, resulting in approximately $101,400 in USDC and USDC.e being drained from previous liquidity pools that were already being phased out. The team emphasized that user deposits on its current PayFi platform are secure, Huma’s PST token remains unaffected, and its redesigned V2 system on Solana is architecturally separate from the compromised contracts.
An official post on X stated, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … for ~$101K. Total drained: ~$101.4K (USDC + USDC.e),” with the team confirming that the incident was restricted to deprecated contracts rather than active production vaults. According to a detailed analysis by Web3 security firm Blockaid, cited by CryptoTimes, the loss is attributable to a logic error in a function named refreshAccount() within the V1 BaseCreditPool contracts, which improperly altered an account’s status from “Requested credit line” to “GoodStanding” without adequate checks.
This flaw allowed the attacker to circumvent access controls and withdraw funds from treasury-linked pools as if they were an authorized borrower. Blockaid’s investigation revealed that approximately 82,315.57 USDC was drained from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all executed in a single, well-planned transaction. The exploit did not involve breaking cryptographic measures or private keys but rather manipulating business logic to make the system believe the attacker was permitted to withdraw funds.
Huma noted that it was already in the process of decommissioning its V1 liquidity pools on Polygon when the exploit was executed and has since fully paused all remaining V1 contracts to mitigate any further risk. In its disclosure, the team highlighted that Huma 2.0 — a permissionless, composable “real-yield” PayFi platform launched on Solana in April 2025 with backing from Circle and the Solana Foundation — represents “a complete rebuild” with a different architecture that is not linked to the compromised V1 code.
The design of Huma 2.0 centers around the $PST (PayFi Strategy Token), a liquid, yield-bearing LP token that encapsulates positions in payment-financing strategies and can integrate with Solana DeFi protocols such as Jupiter, Kamino, and RateX. In contrast, the exploited V1 contracts were part of an older, permissioned credit-pool framework on Polygon, now effectively retired.
The main takeaway for users is that the approximately $101,400 USDC loss affected legacy protocol-level liquidity rather than individual wallets, and that ongoing deposits and PST positions on Solana are reported to be secure. Nevertheless, this incident adds to a growing list of DeFi exploits where the vulnerability stemmed not from signature schemes but from business logic in outdated contracts — emphasizing the necessity for teams like Huma to transition to redesigned architectures, and for users to approach “legacy” and “soon to be deprecated” pools with the same caution they apply to unaudited code.