Huma Finance disclosed that its deprecated V1 BaseCreditPool contracts on Polygon were exploited for approximately $101,000, with an attacker draining 82,316 USDC and 19,075 USDC.e through unauthorized drawdowns. The incident, which occurred on May 11, traces back to a logic error in the credit-lifecycle management of contracts that were already supposed to be out of commission.
No user deposits were affected. The PayFi Strategy Token (PST) and Huma’s V2 deployment on Solana remain fully operational and untouched. The damage was confined to pool owner fees and protocol fees.
What went wrong in the deprecated contracts
The root cause was a credit-lifecycle logic error. The old smart contracts had a flaw in how they managed the stages of a credit line, specifically around who could initiate drawdowns and under what conditions. That gap allowed someone to pull funds they should never have been able to access.
Security experts analyzing the incident characterized it as a preventable access-control flaw rather than some novel zero-day vulnerability.
Huma’s response and broader context
Huma Finance announced the exploit on social media the same day it happened. The protocol was quick to draw a clear line between what was compromised and what was not. User deposits: safe. PST holdings: unaffected. The Solana-based V2 system: operating normally. This distinction matters because Huma had recently integrated PST into USD* backing strategies on April 30, just about two weeks before the exploit.
Huma Finance positions itself as a decentralized PayFi protocol, bridging payment financing with on-chain infrastructure. The protocol originated in 2025 and has been building out its presence with a particular focus on Solana as its primary operational chain going forward. The Polygon-based V1 contracts were essentially the older model, left behind as the team upgraded.
No other major incidents or notable updates from Huma were reported in the 30 days preceding the exploit.
What this means for investors and the DeFi ecosystem
The point is that deprecated smart contracts represent a systemic blind spot across DeFi. Protocols upgrade, migrate chains, launch V2 and V3 iterations, but the old contracts persist on-chain indefinitely. If residual funds aren’t fully drained and contracts aren’t hardened or paused, they become targets.
Expert analysis indicated this was a straightforward access-control flaw, the kind of vulnerability that deeper audits would catch. Most audit firms focus their attention on new deployments, not old ones gathering dust.
The broader DeFi market showed no significant ripple effects from the exploit. The V2 architecture is separate from the compromised V1 contracts, and no evidence suggests shared vulnerabilities between the two.