Key Highlights
- Huma Finance’s old V1 smart contracts on Polygon were hijacked by a sly gremlin of logic, resulting in a tidy disappearance of about 101,400 USDC-like a polite mugging by a calculator.
- The culprit was a crafty flaw in the refreshAccount function, which Allowed unauthorized withdrawals to waltz right past the velvet rope of security.
- The misadventure was confined to legacy systems already being retired to the comedic retirement home of code; Huma has now paused V1 while assuring users that funds are safe, probably sipping tea and pretending everything is perfectly normal.
Huma Finance, a decentralized PayFi network, confirmed that a vulnerability in its legacy V1 smart contracts on the Polygon network was exploited, resulting in the loss of about 101,400 USDC.
In a post on X, the company said the incident only affected the older system and did not touch newer parts of the protocol.
“No user funds at risk and PST is not impacted,” the team said, adding that its newer V2 system on Solana is a full rebuild that is not connected to this bug.
Earlier today a vulnerability in Huma’s legacy v1 contracts on Polygon was exploited for 101,400 USDC.
No user funds at risk and PST is not impacted. Huma’s v2 system on Solana is a complete rewrite and this issue does not apply to v2 systems.
The teams were already in the…
– Huma Finance (@humafinance) May 11, 2026
How the attack unfolded
The misadventure took place in the V1 BaseCreditPool contracts, the venerable elderly cousins of the modern DeFi family. According to Blockaid, a Web3 security firm that first noticed the kerfuffle at around 3:10 PM UTC, the intruder exploited a flaw inside a function called refreshAccount().
The function merrily toggled an account status from “Requested credit line” to “GoodStanding” without performing the due diligence checks that would have required more careful crosswords with security.
Because of this, the attacker could breeze past checks that should have blocked access and then withdraw funds from the treasury. Blockaid explained that about 101.4K USDC and USDC.e were siphoned across multiple contracts linked to the V1 system.
Funds traced across contracts
Blockaid reported that one compromised contract, “0x3EBc1,” lost about 82,315.57 USDC, another “0x95533” lost 17,290.76 USDC.e, and a third “0xe8926” lost 1,783.97 USDC.e. The attacker’s address and exploit contract were identified on-chain, and the movement of funds was tracked through PolygonScan like breadcrumbs left by a very code-curious ant.
The exploit was a matter of crafty logic rather than a breach of cryptographic spellbooks. The attacker used the flaw to make the system believe they were allowed to withdraw funds without performing the usual extra checks.
Once the world (or at least the contract) wrongly approved them, they pulled money from the treasury-linked pools. Everything happened in a single transaction, which is a fancy way of saying the universe watched in astonishment as a single keystroke performed a minor miracle and a small scale of theft.
V1 shutdown already in motion
Huma Finance stated it had already been in the process of shutting down all V1 contracts before the exploit occurred. Following the incident, the team fully paused V1 operations to stop any further risk, which is a very grown-up thing to do when your toaster begins whispering about insurance.
The company stressed that the newer V2 system is not affected because it was built from scratch with a different structure and improved safety design. User deposits and newer systems are reported untouched, and operations continue normally on the updated V2 platform.
DeFi exploits continue in 2026
The Huma incident adds to a growing list of DeFi exploits recorded this year. Earlier on the same day, INK Finance reportedly suffered a separate exploit involving $140,000.
Other protocols, such as Kelp DAO, Drift Protocol, and Hyperbridge, have also experienced security incidents in 2026.
So far, over half a billion dollars have been stolen from DeFi-related protocols in different exploits and hacks this year alone. A common thread emerges: attackers rarely need to break cryptography when they can simply misread a few lines of code and order a draw from the near-eternal ledger of miscalculations.
Read More
- Clash of Clans May 2026: List of Weekly Events, Challenges, and Rewards
- Total Football free codes and how to redeem them (March 2026)
- Farming Simulator 26 arrives May 19, 2026 with immersive farming and new challenges on mobile and Switch
- Last Furry: Survival redeem codes and how to use them (April 2026)
- Honor of Kings x Attack on Titan Collab Skins: All Skins, Price, and Availability
- Gold Rate Forecast
- NTE: Neverness to Everness Original Game Soundtracks: Your Ultimate Playlist Guide
- Top 5 Best New Mobile Games to play in May 2026
- Clash of Clans “Clash vs Skeleton” Event for May 2026: Details, How to Progress, Rewards and more
- Nekopara Sekai Connect Neko Tier List
2026-05-11 20:52