<\/p>\n
A logic bug in Huma\u2019s legacy V1 Polygon credit pools let an attacker drain about $101,400 in USDC, but its Solana\u2011based PayFi V2 and PST token remain structurally unaffected.<\/p>\n
<\/p>\n
Huma Finance has disclosed that its legacy V1 contracts on Polygon were exploited, with roughly $101,400 in USDC and USDC.e drained from old liquidity pools that were already in the process of being wound down. The team stressed that no user deposits on its current PayFi platform are at risk, Huma\u2019s PST token was not impacted, and its re\u2011architected V2 system on Solana is structurally separate from the affected contracts.<\/p>\n
According to an official post on X, \u201cHuma Finance\u2019s V1 BaseCreditPool deployments on Polygon were exploited \u2026 for ~$101K. Total drained: ~$101.4K (USDC + USDC.e),\u201d with the team confirming that the incident was confined to deprecated contracts rather than live production vaults. A detailed write\u2011up from Web3 security firm Blockaid, cited by CryptoTimes, attributes the loss to a logic flaw in a function called refreshAccount() inside the V1 BaseCreditPool contracts, which incorrectly changed an account\u2019s status from \u201cRequested credit line\u201d to \u201cGoodStanding\u201d without sufficient checks.<\/p>\n
That bug let the attacker bypass access controls and withdraw funds from treasury\u2011linked pools as if they were an approved borrower. Blockaid\u2019s analysis shows about 82,315.57 USDC drained from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all in a tightly orchestrated sequence that executed in a single transaction. The exploit did not involve breaking cryptography or private keys, but rather manipulating business logic so the system \u201cthought\u201d the attacker was allowed to pull funds.<\/p>\n
Huma says it had already been phasing out its V1 liquidity pools on Polygon when the exploit occurred, and has now fully paused all remaining V1 contracts to prevent any further risk. In its disclosure, the team emphasized that Huma 2.0 \u2014 a permissionless, composable \u201creal\u2011yield\u201d PayFi platform that launched on Solana in April 2025 with support from Circle and the Solana Foundation \u2014 is \u201ca complete rebuild\u201d with a different architecture and is not connected to the vulnerable V1 code.<\/p>\n
<\/p>\n
Huma 2.0\u2019s design centers on the $PST (PayFi Strategy Token), a liquid, yield\u2011bearing LP token that represents positions in payment\u2011financing strategies and can be integrated with Solana DeFi protocols such as Jupiter, Kamino and RateX. By contrast, the exploited V1 contracts were part of an older, permissioned credit\u2011pool system on Polygon, now effectively retired.<\/p>\n
For users, the key takeaway is that the roughly $101,400 USDC loss hit legacy protocol\u2011level liquidity rather than individual wallets, and that current deposits and PST positions on Solana are reported as safe. Still, the incident adds another example to a long list of DeFi exploits where the weak point was not signature schemes but business logic in aging contracts \u2014 reinforcing why teams like Huma are migrating to redesigned architectures, and why users should treat \u201clegacy\u201d and \u201csoon to be deprecated\u201d pools with the same caution they reserve for unaudited code.<\/p>\n
<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
A logic bug in Huma\u2019s legacy V1 Polygon credit pools let an attacker drain about $101,400 in USDC, but its Solana\u2011based PayFi V2 and PST token remain structurally unaffected. Summary…<\/p>\n","protected":false},"author":1,"featured_media":28211,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28210","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/28210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=28210"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/28210\/revisions"}],"predecessor-version":[{"id":28212,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/28210\/revisions\/28212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/28211"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=28210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=28210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=28210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}