Logic flaw drains $101K from Huma's old Polygon contracts
An attack on the V1 smart contracts of Huma Finance on Polygon resulted in a loss of $101,400 USDC. The exploit added to what’s already been a difficult time for DeFi protocols on the network.
The exploit was reported by web3 security firm Blockaid. The attacker targeted BaseCreditPool deployments related to Huma’s older V1 infrastructure. The total loss was ~$101,400 in USDC and USDC.e coins across various contracts.
Huma Finance confirmed the incident on X, saying “No user funds at risk and PST is not impacted.” The team said its V2 system, which runs on Solana, was built from scratch. It shares no code with the compromised contracts.
Huma’s V1 flaw was in one function
The smart contract flaw was found inside a function named refreshAccount(). Its a function located within the V1 BaseCreditPool contracts. Blockaid security researchers identified the bug. They shared more information on X, saying:
“Bug: refreshAccount() unconditionally promotes a Requested credit line to GoodStanding, bypassing the EA approval step and enabling drawdown().”
refreshAccount() labelled accounts with ‘good standing’ without actual verification or conditions. The attacker took advantage of this flaw and drained funds from the protocol’s treasury pools
The losses were found in three contracts according to Blockaid’s on-chain analysis. One account lost ~82,300 USDC. A second lost ~17,300 USDC.e. And a third account lost ~1,800 USDC.e. According to on-chain data, the entire exploit was completed in one transaction.
There was no cryptographic issue. The attacker just changed the contract’s state machine to trick it into treating an unauthorized account as legit.
Huma’s team wrote on X, “Earlier today a vulnerability in Huma’s legacy v1 contracts on Polygon was exploited for 101,400 USDC.” They continued, “Huma’s v2 system on Solana is a complete rewrite and this issue does not apply to v2 systems.”
Huma said it had already been winding down V1 operations before the exploit occurred. The team said on X, “The teams were already in the process of sunsetting all the legacy v1 pools, and have paused v1 completely now.”
After the incident, the team fully paused all remaining V1 contracts. The company said that user deposits on V2 were untouched and that the newer platform continues to operate normally.
Victim contracts:https://t.co/eLxi7skhsI (Huma V1 BaseCreditPool – 82,315.57 USDC)https://t.co/EnPLFdvOM8 (Huma V1 BaseCreditPool – 17,290.76 USDC.e)https://t.co/prR0lxoD7L (Huma V1 BaseCreditPool – 1,783.97 USDC.e)
Attacker: https://t.co/S0zOa5ClJk
Exploit contract:…— Blockaid (@blockaid_) May 11, 2026
Polygon had a bad day
According to a recent report from Cryptopolitan, the exploit took place on the same day that Ink Finance lost almost $140,000 from its Workspace Treasury Proxy contract on Polygon. The attacker deployed a contract matching a whitelisted claimer address to bypass eligibility checks.
In both incidents, the attackers found logic mistakes in smart contract design. The back-to-back exploits on Polygon come after April 2026, setting the record for the worst month of smart contract losses.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Recommended Articles
