Huma Finance V1 Exploit on Polygon Drains $101K in USDC

Huma Finance, a decentralized PayFi community, confirmed {that a} vulnerability in its legacy V1 sensible contracts on the Polygon community was exploited on Monday, ensuing in the lack of about 101,400 USDC.

In a put up on X, the corporate mentioned the incident solely affected the older system and didn’t contact newer elements of the protocol. 

“No person funds in danger and PST will not be impacted,” the crew mentioned, including that its newer V2 system on Solana is a full rebuild that’s not linked to this bug.

How the assault occurred

The assault occurred in the V1 BaseCreditPool contracts, that are a part of the older model of Huma Finance. Based on Blockaid, a Web3 safety agency that first reported the incident at round 3:10 PM UTC, the hacker was in a position to benefit from a flaw in the contract code, which was inside a perform referred to as refreshAccount(). 

The perform wrongly modified an account standing from “Requested credit score line” to “GoodStanding” with out checking correctly. 

Due to this, the attacker was in a position to cross checks that ought to have blocked entry after which withdraw funds from the system. Blockaid defined that about $101.4K price of USDC and USDC.e was taken throughout a number of contracts linked to the V1 system.

Funds traced throughout contracts

Blockaid reported that one compromised contract, “0x3EBc1,” misplaced about 82,315.57 USDC, one other “0x95533” misplaced 17,290.76 USDC.e, and a 3rd “0xe8926” misplaced 1,783.97 USDC.e. The attacker’s tackle and exploit contract had been additionally recognized on-chain, and the motion of funds was tracked by means of PolygonScan data.

The exploit was carried out by means of a logic manipulation moderately than a breach of cryptographic safety. The attacker used the flaw to make the system suppose they had been allowed to withdraw funds with out doing sufficient further checks.

As soon as the system wrongly permitted them, they had been in a position to pull out cash from the treasury-linked swimming pools. Every thing occurred in a single transaction, that means it was achieved rapidly and in one clean operation.

V1 shutdown already in movement

Huma Finance mentioned it had already been in the method of shutting down all V1 contracts earlier than the exploit occurred. Following the incident, the crew absolutely paused V1 operations to cease any additional threat. 

The corporate confused that the newer V2 system will not be affected as a result of it was constructed from scratch with a distinct construction and improved security design. Consumer deposits and newer methods are reported untouched, and operations proceed usually on the up to date V2 platform.

DeFi exploits proceed in 2026

The Huma incident provides to a rising checklist of DeFi exploits recorded this yr. Earlier on the identical day, INK Finance reportedly suffered a separate exploit involving $140,000. 

Different protocols, comparable to Kelp DAO, Drift Protocol, and Hyperbridge, have additionally skilled safety incidents in 2026. 

To date, over half a billion {dollars} have been stolen from DeFi-related protocols in totally different exploits and hacks this yr alone. Many of those incidents share a standard theme: attackers aren’t breaking blockchain methods straight however as an alternative focusing on errors in sensible contract design.

Additionally Learn: Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack

Disclaimer: The data researched and reported by The Crypto Instances is for informational functions solely and isn’t an alternative choice to skilled monetary recommendation. Investing in crypto property entails vital threat because of market volatility. At all times Do Your Personal Analysis (DYOR) and seek the advice of with a certified Monetary Advisor earlier than making any funding selections.