A logic bug in Huma’s legacy V1 Polygon credit pools let an attacker drain about $101,400 in USDC, but its Solana‑based PayFi V2 and PST token remain structurally unaffected.
Summary
- Huma says deprecated V1 BaseCreditPool contracts on Polygon were exploited for roughly $101,400 in USDC and USDC.e as they were being wound down, while its live PayFi V2 on Solana was untouched.
- Blockaid traces the loss to a refreshAccount() logic flaw that flipped borrowers into “GoodStanding” without proper checks, letting the attacker withdraw from treasury‑linked pools in a single, scripted transaction.
- All remaining V1 contracts on Polygon are now paused, with Huma stressing that current deposits and PST positions on Solana’s rebuilt, permissionless PayFi architecture are separate from the vulnerable V1 code.
Huma Finance has disclosed that its legacy V1 contracts on Polygon were exploited, with roughly $101,400 in USDC and USDC.e drained from old liquidity pools that were already in the process of being wound down. The team stressed that no user deposits on its current PayFi platform are at risk, Huma’s PST token was not impacted, and its re‑architected V2 system on Solana is structurally separate from the affected contracts.
According to an official post on X, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … for ~$101K. Total drained: ~$101.4K (USDC + USDC.e),” with the team confirming that the incident was confined to deprecated contracts rather than live production vaults. A detailed write‑up from Web3 security firm Blockaid, cited by CryptoTimes, attributes the loss to a logic flaw in a function called refreshAccount() inside the V1 BaseCreditPool contracts, which incorrectly changed an account’s status from “Requested credit line” to “GoodStanding” without sufficient checks.
That bug let the attacker bypass access controls and withdraw funds from treasury‑linked pools as if they were an approved borrower. Blockaid’s analysis shows about 82,315.57 USDC drained from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all in a tightly orchestrated sequence that executed in a single transaction. The exploit did not involve breaking cryptography or private keys, but rather manipulating business logic so the system “thought” the attacker was allowed to pull funds.
Huma says it had already been phasing out its V1 liquidity pools on Polygon when the exploit occurred, and has now fully paused all remaining V1 contracts to prevent any further risk. In its disclosure, the team emphasized that Huma 2.0 — a permissionless, composable “real‑yield” PayFi platform that launched on Solana in April 2025 with support from Circle and the Solana Foundation — is “a complete rebuild” with a different architecture and is not connected to the vulnerable V1 code.
Huma 2.0’s design centers on the $PST (PayFi Strategy Token), a liquid, yield‑bearing LP token that represents positions in payment‑financing strategies and can be integrated with Solana DeFi protocols such as Jupiter, Kamino and RateX. By contrast, the exploited V1 contracts were part of an older, permissioned credit‑pool system on Polygon, now effectively retired.
For users, the key takeaway is that the roughly $101,400 USDC loss hit legacy protocol‑level liquidity rather than individual wallets, and that current deposits and PST positions on Solana are reported as safe. Still, the incident adds another example to a long list of DeFi exploits where the weak point was not signature schemes but business logic in aging contracts — reinforcing why teams like Huma are migrating to redesigned architectures, and why users should treat “legacy” and “soon to be deprecated” pools with the same caution they reserve for unaudited code.
