A logic bug in Huma’s legacy V1 Polygon credit score swimming pools let an attacker drain about $101,400 in USDC, however its Solana‑based mostly PayFi V2 and PST token stay structurally unaffected.
Abstract
- Huma says deprecated V1 BaseCreditPool contracts on Polygon have been exploited for roughly $101,400 in USDC and USDC.e as they have been being wound down, whereas its dwell PayFi V2 on Solana was untouched.
- Blockaid traces the loss to a refreshAccount() logic flaw that flipped borrowers into “GoodStanding” without proper checks, letting the attacker withdraw from treasury‑linked pools in a single, scripted transaction.
- All remaining V1 contracts on Polygon are now paused, with Huma stressing that current deposits and PST positions on Solana’s rebuilt, permissionless PayFi architecture are separate from the vulnerable V1 code.
Huma Finance has disclosed that its legacy V1 contracts on Polygon were exploited, with roughly $101,400 in USDC and USDC.e drained from old liquidity pools that were already in the process of being wound down. The team stressed that no user deposits on its current PayFi platform are at risk, Huma’s PST token was not impacted, and its re‑architected V2 system on Solana is structurally separate from the affected contracts.
According to an official post on X, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … for ~$101K. Total drained: ~$101.4K (USDC + USDC.e),” with the team confirming that the incident was confined to deprecated contracts rather than live production vaults. A detailed write‑up from Web3 security firm Blockaid, cited by CryptoTimes, attributes the loss to a logic flaw in a function called refreshAccount() inside the V1 BaseCreditPool contracts, which incorrectly changed an account’s status from “Requested credit line” to “GoodStanding” without sufficient checks.
That bug let the attacker bypass access controls and withdraw funds from treasury‑linked pools as if they were an approved borrower. Blockaid’s evaluation reveals about 82,315.57 USDC drained from one contract (0x3EBc1), 17,290.76 USDC.e from one other (0x95533), and 1,783.97 USDC.e from a 3rd (0xe8926), all in a tightly orchestrated sequence that executed in a single transaction. The exploit didn’t contain breaking cryptography or personal keys, however slightly manipulating enterprise logic so the system “thought” the attacker was allowed to tug funds.
Huma says it had already been phasing out its V1 liquidity swimming pools on Polygon when the exploit occurred, and has now totally paused all remaining V1 contracts to stop any additional danger. In its disclosure, the staff emphasised that Huma 2.0 — a permissionless, composable “actual‑yield” PayFi platform that launched on Solana in April 2025 with assist from Circle and the Solana Basis — is “a whole rebuild” with a unique structure and isn’t related to the susceptible V1 code.
Huma 2.0’s design facilities on the $PST (PayFi Technique Token), a liquid, yield‑bearing LP token that represents positions in cost‑financing methods and will be built-in with Solana DeFi protocols equivalent to Jupiter, Kamino and RateX. Against this, the exploited V1 contracts have been a part of an older, permissioned credit score‑pool system on Polygon, now successfully retired.
For customers, the important thing takeaway is that the roughly $101,400 USDC loss hit legacy protocol‑degree liquidity slightly than particular person wallets, and that present deposits and PST positions on Solana are reported as secure. Nonetheless, the incident provides one other instance to a protracted checklist of DeFi exploits the place the weak level was not signature schemes however enterprise logic in growing older contracts — reinforcing why groups like Huma are migrating to redesigned architectures, and why customers ought to deal with “legacy” and “quickly to be deprecated” swimming pools with the identical warning they reserve for unaudited code.
