Huma Finance V1 Smart Contract Exploit Drains $101K USDC on Polygon

A flaw in Huma Finance’s legacy V1 smart contracts on the Polygon network was exploited on May 11, 2026, resulting in the loss of approximately $101,400 in USDC. The incident, first detected by Web3 security firm Blockaid at around 3:10 PM UTC, highlights the persistent risks associated with deprecated DeFi infrastructure that remains accessible on-chain even after newer versions have shipped.

The Exploit Mechanics

The vulnerability resided in Huma Finance’s V1 BaseCreditPool contracts, specifically within a function called refreshAccount(). This function was designed to update a borrower’s account status, but it contained a critical logic flaw: it could transition an account from “Requested credit line” directly to “GoodStanding” without performing adequate authorization checks. By exploiting this state transition gap, the attacker was able to bypass the verification layer that should have prevented unauthorized withdrawals.

Once the attacker’s account status was fraudulently set to “GoodStanding,” the system permitted fund extraction from treasury-linked pools. The entire operation was executed in a single transaction, demonstrating a sophisticated understanding of the contract’s logic flow. According to Blockaid’s on-chain analysis, the attacker drained funds across three separate contracts: contract 0x3EBc1 lost approximately 82,315.57 USDC, contract 0x95533 lost 17,290.76 USDC.e, and contract 0xe8926 lost 1,783.97 USDC.e.

Affected Systems

The exploit was confined exclusively to Huma Finance’s V1 contracts deployed on the Polygon network. Huma Finance operates as a decentralized PayFi (payment finance) network, and its V1 system represented an earlier iteration of its lending and credit infrastructure. The affected BaseCreditPool contracts were part of this older architecture, which the team had already begun phasing out prior to the attack.

Crucially, the company confirmed that its newer V2 system, built on Solana, is entirely unaffected. The V2 protocol represents a complete architectural rewrite with a fundamentally different codebase and improved safety mechanisms. User deposits in V2 remain secure, and the protocol’s native token (PST) was not impacted by the incident. Bitcoin traded at approximately $81,224 and Ethereum at around $2,369 at the time of the exploit, providing broader market context for the event.

The Mitigation Strategy

Huma Finance responded swiftly to the incident. The team had already been in the process of decommissioning V1 contracts before the exploit occurred. Following the attack, all remaining V1 operations were fully paused to eliminate any possibility of further exploitation. The attacker’s address and exploit contract were identified on-chain through PolygonScan records, and the movement of stolen funds was tracked in real-time by Blockaid’s monitoring systems.

The company posted an official statement on social media confirming the scope of the incident and reassuring users that V2 systems remained completely unaffected. The rapid response likely prevented additional losses, as the paused V1 contracts could no longer be interacted with by any party, including the attacker.

Lessons Learned

The Huma Finance incident underscores a critical lesson for DeFi protocols: legacy contracts that remain live on-chain continue to present attack surfaces even after newer, more secure versions have been deployed. The gap between deprecating a system and fully removing its on-chain presence creates a window of vulnerability that attackers actively scan for. Several key takeaways emerge from this incident:

• Legacy systems need active decommissioning. Simply launching a V2 does not eliminate V1 risk. Protocols should have clear timelines for fully disabling older contracts, including revoking approvals and removing liquidity.
• State transition logic demands rigorous auditing. The refreshAccount() flaw was a high-level semantic issue, not a low-level cryptographic vulnerability. These types of logic bugs are often harder to detect through automated scanning and require thorough manual review.
• Real-time monitoring saved the day. Blockaid’s detection within minutes of the exploit enabled a swift response, limiting the damage to approximately $101,000 rather than potentially far more.
• Architectural isolation pays off. Huma’s decision to build V2 on an entirely different chain (Solana) with a fresh codebase meant the exploit had zero blast radius beyond the deprecated V1 contracts.

User Action Required

For users who may have interacted with Huma Finance V1 on Polygon, the team has confirmed that no additional user action is required at this time. All V1 contracts have been paused, and the vulnerability cannot be exploited further. Users operating on V2 through Solana are completely unaffected. However, as a general best practice, anyone who previously approved V1 contracts on Polygon should consider revoking those token approvals through tools like Revoke.cash or similar platforms. As always, staying informed about protocol updates and migration plans remains essential for protecting your assets in the DeFi ecosystem.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.