Huma Finance Reports Significant Loss Due to Exploit
Huma Finance has reported a significant loss of approximately $101,400 in USDC due to an exploitation of its older V1 credit pools on the Polygon blockchain. The exploit, which occurred in the now-obsolete contracts, allowed an attacker to remove funds from liquidity pools that were in the process of being decommissioned. Importantly, the incident did not affect the current PayFi platform or the Huma PST token, both of which operate on a separate Solana-based V2 architecture and remain secure.
Details of the Attack
Details of the attack were shared on X, where Huma Finance clarified that the breach only impacted deprecated contracts, indicating that all remaining V1 contracts have since been put on hold to mitigate any further risk. A report from Web3 security experts at Blockaid, highlighted by CryptoTimes, identified a flaw in the logic of the V1 BaseCreditPool contracts as the source of the breach. This flaw, found in a function known as refreshAccount, enabled the attacker to manipulate the system into granting access as if they were a verified borrower.
Execution of the Attack
The attack was executed in a single transaction, draining funds from various contracts: around 82,315.57 USDC from one contract, along with approximately 17,290.76 USDC.e and 1,783.97 USDC.e from others. The method did not rely on breaking cryptographic protections but rather exploited vulnerabilities in the logic of the business operations.
Transition to Huma 2.0
Huma Finance is actively transitioning away from these outdated V1 contracts, which were part of a now-retired credit pool system. Its new platform, Huma 2.0, launched in April 2025 with backing from Circle and the Solana Foundation, emphasizes a fresh architecture that prioritizes security. This reimagined system features the $PST token, designed for liquidity and yield-bearing strategies, and integrates with well-known Solana DeFi protocols such as Jupiter and Kamino.
Key Takeaways for Users
For users, the primary message is clear: the funds lost were linked to older protocol-level liquidity and did not compromise individual user wallets or current deposits within the new PayFi system. As incidents like this highlight ongoing vulnerabilities in decentralized finance, especially relating to legacy contracts, it underscores the importance of transitioning to more robust and innovatively designed architectures, prompting users to exercise caution regarding outdated or soon-to-be-retired assets.
