Huma Finance V1 Polygon Contract Exploited for $101,400 USDC

The Vulnerability

Huma Finance disclosed a logic bug in its legacy V1 contract on Polygon that enabled an attacker to exploit credit pools and withdraw $101,400 in USDC. The company confirmed the incident and said it had identified the root cause in the contract's authorization logic.

Scope Limited to Polygon V1

The exploitation was confined to Huma's older V1 infrastructure on Polygon. The company stated that its primary product line—PayFi V2 running on Solana, along with its PST governance token—remained structurally unaffected and did not share the vulnerable code path. Huma said it was reviewing additional defensive measures and would communicate next steps.

Industry Context

The incident underscores the ongoing risk of legacy contract deployments in DeFi, particularly when older versions of protocols remain in production after newer iterations launch on different chains. While the dollar amount is modest relative to major protocol exploits, the case highlights the importance of maintaining audit rigor on all active contract versions, not just new releases.

Why It Matters

For Traders

USDC and PST liquidity on Huma V2 are not directly at risk; exposure is limited to Polygon V1 users who should monitor for further disclosures.

For Investors

The incident signals execution risk for legacy code paths; protocols deploying across multiple chains should establish clear deprecation timelines for older versions.

For Builders

Consider versioning strategy and audit frequency for mainnet-deployed contracts; a single unpatched V1 instance can undermine confidence in a protocol's full stack.