•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Huma Finance disclosed that its deprecated V1 BaseCreditPool contracts on Polygon were exploited for approximately $101,000, after an attacker drained 82,316 USDC and 19,075 USDC.e through unauthorized drawdowns. The incident occurred on May 11 and was linked to a logic error in the credit-lifecycle management of contracts that were already intended to be out of commission.
Huma said no user deposits were affected. It also stated that its PayFi Strategy Token (PST) and its V2 deployment on Solana were fully operational and not touched by the exploit. According to the disclosure, the damage was confined to pool owner fees and protocol fees.
The root cause was a credit-lifecycle logic error. Huma’s older smart contracts had a flaw in how they managed the stages of a credit line—particularly around who could initiate drawdowns and under what conditions. This gap enabled an unauthorized party to pull funds they should not have been able to access.
Security experts reviewing the incident characterized it as a preventable access-control flaw rather than a novel zero-day vulnerability.
Huma announced the exploit on social media the same day it happened and emphasized the separation between compromised and unaffected components. The protocol’s user deposits were described as safe, PST holdings as untouched, and the Solana-based V2 system as operating normally.
Huma noted that it had integrated PST into USD* backing strategies on April 30, roughly two weeks before the exploit. It also said there were no other major incidents or notable updates from the protocol in the 30 days leading up to May 11.
Huma’s disclosure highlights a broader issue in decentralized finance: deprecated smart contracts can become a systemic blind spot. Even as protocols upgrade and migrate to newer versions (such as V2 and V3), older contracts remain on-chain indefinitely. If residual funds are not fully drained and contracts are not hardened or paused, they can still be targeted.
Expert analysis described the vulnerability as the type of access-control issue that deeper audits would typically catch, noting that many audit firms focus on new deployments rather than older contracts that may be left behind.
Huma said the broader DeFi market showed no significant ripple effects. It attributed this to the separation between the compromised Polygon-based V1 contracts and the Solana-based V2 architecture, adding that there was no evidence of shared vulnerabilities between the two.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
