Key Highlights
- Huma Finance’s old V1 smart contracts on Polygon were exploited, resulting in a loss of about $101,400 USDC.
- The attack was caused by a smart contract logic flaw in its function, which wrongly allowed unauthorized withdrawals from BaseCreditPool contracts.
- The exploit was limited to legacy systems already being phased out, and Huma has now fully paused V1 while confirming user funds remain safe.
Huma Finance, a decentralized PayFi network, confirmed that a vulnerability in its legacy V1 smart contracts on the Polygon network was exploited on Monday, resulting in the loss of about 101,400 USDC.
In a post on X, the company said the incident only affected the older system and did not touch newer parts of the protocol.
“No user funds at risk and PST is not impacted,” the team said, adding that its newer V2 system on Solana is a full rebuild that is not connected to this bug.
How the attack happened
The attack happened in the V1 BaseCreditPool contracts, which are part of the older version of Huma Finance. According to Blockaid, a Web3 security firm that first reported the incident at around 3:10 PM UTC, the hacker was able to take advantage of a flaw in the contract code, which was inside a function called refreshAccount().
The function wrongly changed an account status from “Requested credit line” to “GoodStanding” without checking properly.
Because of this, the attacker was able to pass checks that should have blocked access and then withdraw funds from the system. Blockaid explained that about $101.4K worth of USDC and USDC.e was taken across multiple contracts linked to the V1 system.
Funds traced across contracts
Blockaid reported that one compromised contract, “0x3EBc1,” lost about 82,315.57 USDC, another “0x95533” lost 17,290.76 USDC.e, and a third “0xe8926” lost 1,783.97 USDC.e. The attacker’s address and exploit contract were also identified on-chain, and the movement of funds was tracked through PolygonScan records.
The exploit was carried out through a logic manipulation rather than a breach of cryptographic security. The attacker used the flaw to make the system think they were allowed to withdraw funds without doing enough extra checks.
Once the system wrongly approved them, they were able to pull out money from the treasury-linked pools. Everything happened in a single transaction, meaning it was done quickly and in one smooth operation.
V1 shutdown already in motion
Huma Finance said it had already been in the process of shutting down all V1 contracts before the exploit happened. Following the incident, the team fully paused V1 operations to stop any further risk.
The company stressed that the newer V2 system is not affected because it was built from scratch with a different structure and improved safety design. User deposits and newer systems are reported untouched, and operations continue normally on the updated V2 platform.
DeFi exploits continue in 2026
The Huma incident adds to a growing list of DeFi exploits recorded this year. Earlier on the same day, INK Finance reportedly suffered a separate exploit involving $140,000.
Other protocols, such as Kelp DAO, Drift Protocol, and Hyperbridge, have also experienced security incidents in 2026.
So far, over half a billion dollars have been stolen from DeFi-related protocols in different exploits and hacks this year alone. Many of these incidents share a common theme: attackers are not breaking blockchain systems directly but instead targeting mistakes in smart contract design.
Also Read: Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack
