Huma Finance’s legacy V1 smart contracts on the Polygon network were exploited for approximately $101,400 in USDC and USDC.e, draining funds from old credit pools that were already being wound down. The incident, disclosed on May 11, 2026, targeted deprecated base credit pool deployments and did not affect the project’s current PayFi V2 platform on Solana or its PST token.
The exploit was traced to a logic flaw in the refreshAccount() function inside the V1 BaseCreditPool contracts. According to security firm Blockaid, the function unconditionally promoted an account’s status from “Requested credit line” to “GoodStanding,” bypassing the required approval step. This allowed an attacker to call drawdown() and drain treasury‑linked funds in a single, tightly orchestrated transaction. On‑chain analysis shows the attacker siphoned 82,315.57 USDC from one contract, 17,290.76 USDC.e from another, and 1,783.97 USDC.e from a third.
Huma Finance confirmed that no user deposits on its live system were at risk. The V2 PayFi architecture, launched on Solana in April 2025 with backing from Circle and the Solana Foundation, is a complete rebuild that shares no code with the vulnerable legacy contracts. The team had already been in the process of sunsetting V1 pools and has now paused all remaining V1 contracts entirely.
The exploit came on the same day that another Polygon DeFi protocol, Ink Finance, lost nearly $140,000 due to a similar logic bug, highlighting the dangers of aging smart contract code.
