Close Menu
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
What's Hot

XRP Bearish Trend Deepens as Weak Liquidity and Falling Open Interest Signal Caution

July 9, 2026

Aave rolls out vaults for yield-hungry fintech investors

July 9, 2026

Uniswap integrated Sky’s LitePeg to enable 1:1 swaps among DAI, USDS and USDC

July 9, 2026
Facebook X (Twitter) Instagram
Recession Profit AlertsRecession Profit Alerts
  • Instructions
  • News
    • DeFi
    • Smart Contract
    • Markets
    • Web3
    • Adoption
    • Memecoins
    • Analysis
    • Mining
    • Scams
    • Security
  • Education
    • Learn
    • Wallets & Exchange
  • Documentaries
  • Videos
    • Alessio Rastani
    • Altcoin Buzz
    • Coin Bureau
    • Dapp University
    • DataDash
    • Digital asset News
    • EllioTrades Crypto
    • MMCrypto
    • Lark Davis
    • Ivan on Tech
    • Benjamin Cowen
  • Market
    • Crypto Market Cap
    • Heat Map
    • Converter
    • Metal Prices
    • Stock prices
  • Bonus Books
  • Tools
Recession Profit AlertsRecession Profit Alerts
Home»Security»Huma Finance legacy V1 contract on Polygon exploited for $101,400 USDC
Security

Huma Finance legacy V1 contract on Polygon exploited for $101,400 USDC

May 14, 2026No Comments3 Mins Read

A logic bug in Huma’s legacy V1 Polygon credit pools let an attacker drain about $101,400 in $USDC, but its Solana‑based PayFi V2 and PST token remain structurally unaffected.

Huma Finance has disclosed that its legacy V1 contracts on Polygon were exploited, with roughly $101,400 in $USDC and $USDC.e drained from old liquidity pools that were already in the process of being wound down. The team stressed that no user deposits on its current PayFi platform are at risk, Huma’s PST token was not impacted, and its re‑architected V2 system on Solana is structurally separate from the affected contracts.

According to an official post on X, “Huma Finance’s V1 BaseCreditPool deployments on Polygon were exploited … for ~$101K. Total drained: ~$101.4K ($USDC + $USDC.e),” with the team confirming that the incident was confined to deprecated contracts rather than live production vaults. A detailed write‑up from Web3 security firm Blockaid, cited by CryptoTimes, attributes the loss to a logic flaw in a function called refreshAccount() inside the V1 BaseCreditPool contracts, which incorrectly changed an account’s status from “Requested credit line” to “GoodStanding” without sufficient checks.

That bug let the attacker bypass access controls and withdraw funds from treasury‑linked pools as if they were an approved borrower. Blockaid’s analysis shows about 82,315.57 $USDC drained from one contract (0x3EBc1), 17,290.76 $USDC.e from another (0x95533), and 1,783.97 $USDC.e from a third (0xe8926), all in a tightly orchestrated sequence that executed in a single transaction. The exploit did not involve breaking cryptography or private keys, but rather manipulating business logic so the system “thought” the attacker was allowed to pull funds.

See also  LayerZero Team Explains the Reason Behind the Recent $290 Million Hack! Here Are the Details

Huma says it had already been phasing out its V1 liquidity pools on Polygon when the exploit occurred, and has now fully paused all remaining V1 contracts to prevent any further risk. In its disclosure, the team emphasized that Huma 2.0 — a permissionless, composable “real‑yield” PayFi platform that launched on Solana in April 2025 with support from Circle and the Solana Foundation — is “a complete rebuild” with a different architecture and is not connected to the vulnerable V1 code.

Huma 2.0’s design centers on the $PST (PayFi Strategy Token), a liquid, yield‑bearing LP token that represents positions in payment‑financing strategies and can be integrated with Solana DeFi protocols such as Jupiter, Kamino and RateX. By contrast, the exploited V1 contracts were part of an older, permissioned credit‑pool system on Polygon, now effectively retired.

For users, the key takeaway is that the roughly $101,400 $USDC loss hit legacy protocol‑level liquidity rather than individual wallets, and that current deposits and PST positions on Solana are reported as safe. Still, the incident adds another example to a long list of DeFi exploits where the weak point was not signature schemes but business logic in aging contracts — reinforcing why teams like Huma are migrating to redesigned architectures, and why users should treat “legacy” and “soon to be deprecated” pools with the same caution they reserve for unaudited code.

Source link

contract Exploited Finance Huma Legacy Polygon USDC

Related Posts

Uniswap integrated Sky’s LitePeg to enable 1:1 swaps among DAI, USDS and USDC

July 9, 2026

$2.4M exploit triggers EMURGO’s Cardano Pentad withdrawal

July 9, 2026

Scammers use Cristiano Ronaldo’s face to promote a crypto scam

July 9, 2026

One of the Most Popular Cryptocurrency Exchanges Responds Strongly to Hacking Allegations

July 9, 2026
Top Posts

When The Return Flight Is The Only Goal: Merz Ends China Trip

March 2, 2026

Hacker Steals Over $570m from Binance Bridge

October 19, 2023

Friend​.tech copycat Stars Arena patches exploit after some funds drained

October 6, 2023

Type above and press Enter to search. Press Esc to cancel.