Huma Finance Legacy V1 Contract on Polygon Exploited, Resulting in $101,400 Loss in USDC

A logical flaw in Huma’s legacy V1 Polygon credit pools permitted an attacker to siphon off about $101,400 in USDC. However, its Solana-based PayFi V2 and the PST token remain secure and structurally sound.

Huma Finance revealed that its obsolete V1 contracts on Polygon were compromised, leading to the draining of around $101,400 in USDC and USDC.e from previously phased-out liquidity pools. The team stressed that user deposits on the current PayFi platform are secure, Huma’s PST token is not affected, and the redesigned V2 system on Solana is architecturally independent of the compromised contracts.

An official update on X mentioned, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … totaling ~$101K. Total drained: ~$101.4K (USDC + USDC.e),” with the team confirming that the event was limited to deprecated contracts, not active production vaults. According to an in-depth analysis by Web3 security firm Blockaid, referenced by CryptoTimes, the loss resulted from a logic error in a function called refreshAccount() within the V1 BaseCreditPool contracts that incorrectly changed an account’s status from “Requested credit line” to “GoodStanding” without the necessary checks.

This vulnerability allowed the attacker to bypass access controls and withdraw funds from treasury-linked pools as if they were an authorized borrower. Blockaid’s investigation showed that approximately 82,315.57 USDC was drained from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all executed in a single, orchestrated transaction. The exploit did not require breaking cryptographic measures or private keys, but rather exploited business logic to mislead the system into believing that the attacker was permitted to withdraw funds.

Huma noted it was already in the process of shutting down its V1 liquidity pools on Polygon when the exploit occurred, and has since fully halted all remaining V1 contracts to prevent any further risks. In its disclosure, the team emphasized that Huma 2.0 — a permissionless, composable “real-yield” PayFi platform launched on Solana in April 2025 with support from Circle and the Solana Foundation — signifies “a complete rebuild” with an architecture distinct from the compromised V1 code.

The architecture of Huma 2.0 revolves around the $PST (PayFi Strategy Token), a liquid, yield-bearing LP token that encompasses positions in payment-financing strategies and can interface with Solana DeFi protocols such as Jupiter, Kamino, and RateX. In contrast, the breached V1 contracts formed part of an earlier, permissioned credit-pool setup on Polygon, now effectively retired.

The key takeaway for users is that the nearly $101,400 USDC loss impacted legacy protocol-level liquidity rather than individual wallets, and ongoing deposits and PST positions on Solana are reported as secure. Nonetheless, this incident contributes to an expanding list of DeFi exploits where vulnerabilities originated not from signature schemes but from business logic in outdated contracts — underscoring the need for teams like Huma to shift toward redesigned architectures, and for users to exercise caution with “legacy” and “soon to be deprecated” pools, similar to how they would with unaudited code.