Huma Finance Legacy V1 Contract on Polygon Exploited, Resulting in $101,400 USDC Loss

A structural vulnerability in Huma’s outdated V1 Polygon credit pools permitted an attacker to extract around $101,400 in USDC. However, the Solana-based PayFi V2 and the PST token remain secure and structurally sound.

Huma Finance confirmed that its obsolete V1 contracts on Polygon were compromised, leading to the loss of around $101,400 in USDC and USDC.e from previously phased-out liquidity pools. The team emphasized that user deposits on the current PayFi platform are secure, Huma’s PST token remains unaffected, and the revamped V2 system on Solana functions independently from the compromised contracts.

An official update on X stated, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … totaling ~$101K. Total drained: ~$101.4K (USDC + USDC.e),” with the team confirming that the incident was confined to deprecated contracts, not active production vaults. According to an in-depth analysis by the Web3 security firm Blockaid, referenced by CryptoTimes, the loss originated from a logical error in a function called refreshAccount() within the V1 BaseCreditPool contracts that erroneously switched an account’s status from “Requested credit line” to “GoodStanding” without necessary checks.

This vulnerability enabled the attacker to circumvent access controls and withdraw funds from treasury-linked pools as if they were an authorized borrower. Blockaid’s investigation revealed that approximately 82,315.57 USDC was siphoned from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all executed in a single, coordinated transaction. The exploit did not require breaking cryptographic measures or private keys but instead exploited business logic to trick the system into believing the attacker had permission to withdraw funds.

Huma indicated that it was already in the process of shutting down its V1 liquidity pools on Polygon when the exploit occurred and has since completely halted all remaining V1 contracts to prevent further risks. In its disclosure, the team stressed that Huma 2.0 — a permissionless, composable “real-yield” PayFi platform launched on Solana in April 2025 with backing from Circle and the Solana Foundation — signifies “a complete rebuild” with architecture distinct from the compromised V1 code.

The foundation of Huma 2.0 centers around the $PST (PayFi Strategy Token), a liquid, yield-bearing LP token that features positions in payment-financing strategies and can interact with Solana DeFi protocols such as Jupiter, Kamino, and RateX. In contrast, the compromised V1 contracts were part of an earlier, permissioned credit-pool framework on Polygon, which is now effectively retired.

The primary takeaway for users is that the nearly $101,400 USDC loss impacted legacy protocol-level liquidity, not individual wallets. Ongoing deposits and PST positions on Solana are reported to be secure. Nonetheless, this incident adds to the growing list of DeFi exploits where vulnerabilities were caused not by signature schemes but by business logic in outdated contracts — underscoring the necessity for teams like Huma to evolve towards redesigned architectures and for users to exercise caution with “legacy” and “soon-to-be deprecated” pools, similar to how they would with unaudited code.