Huma Finance exploit hits legacy v1 Polygon contracts for $101K, but the team says user funds, PST and Solana v2 remain unaffected.
Author: Kritika Gupta
11th May 2026- Earlier today, the Huma Finance exploit targeted legacy v1 contracts on Polygon and drained approximately $101,400 in USDC and USDC.e. However, Huma Finance said the incident did not put user funds at risk, and the protocol’s PayFi Strategy Token (PST) remains unaffected.
Importantly, the Huma Finance exploit only involved deprecated v1 infrastructure that the team had already been sunsetting. The project’s newer Huma v2 system on Solana, which launched as a full protocol rewrite, does not share the same vulnerability. Following the incident, Huma paused all v1 operations and accelerated the shutdown process for the old pools.
High Signal Summary For A Quick Glance
Erbil
@0xErbil
Huma 2.0 and PST (v2) are safe and no user funds were impacted. The exploit could only access ~$100k protocol fees collected from legacy v1 pools. https://t.co/o25GgW2eOn
Earlier today a vulnerability in Huma’s legacy v1 contracts on Polygon was exploited for 101,400 USDC. No user funds at risk and PST is not impacted. Huma’s v2 system on Solana is a complete rewrite and this issue does not apply to v2 systems. The teams were already in the https://t.co/DFjpamH2PW
03:32 PM·May 11, 2026
Steady attention without excessive speculation.
he Huma Finance exploit targeted deprecated V1 BaseCreditPool contracts on Polygon. These contracts belonged to Huma’s earlier infrastructure and existed before the April 2025 launch of Huma 2.0 on Solana. Although Huma had already moved toward sunsetting these v1 pools, some residual protocol fees and pool-owner fees remained inside three affected addresses. Together, these balances totaled roughly $101,400.
The attacker used a public state-transition flaw in the BaseCreditPool contracts to drain the funds without needing privileged access. Therefore, the incident appears limited to leftover funds in old Polygon-based contracts, rather than active user deposits or Huma’s current Solana-based system. This is the first reported smart contract exploit affecting Huma Finance. Until now, the protocol had maintained a clean public security record since its founding.
Huma has also built a notable profile in the PayFi sector, supported by more than $38 million in funding and a leadership team with experience across major technology and fintech companies. Still, the incident shows that even protocols with strong teams and active migrations can face risk when legacy contracts remain live with value inside them.
However, similar DeFi incidents involving deprecated or legacy contracts have often produced muted reactions when attackers only drain protocol-owned fees and leave user deposits untouched. In those cases, traders usually focus on three questions: whether user funds were affected, whether the active protocol remains secure, and whether the team responds quickly.
So far, early indications suggest that HUMA has not seen a major price reaction. That aligns with the limited scope of the exploit, since the affected contracts belonged to legacy v1 infrastructure rather than Huma’s active v2 PayFi system.
Key milestones related to this development
Huma Finance initially operates its v1 protocol on Polygon, supporting early PayFi liquidity and stablecoin credit infrastructure.
Huma later moves toward Solana v2, prioritizing faster settlement, higher throughput, and a redesigned PayFi architecture.
An exploit is identified around Huma’s legacy Polygon-side infrastructure, with USDC movement triggering security concerns.
Huma Finance publicly acknowledges the issue through an official X post and begins communicating the incident status.
Affected contracts are paused or restricted while the team investigates the exploit path and assesses exposure.
The next phase depends on fund tracing, possible recovery efforts, security review, and a detailed post-mortem.
Huma Finance responded quickly by pausing all v1 pools and accelerating the sunsetting process already underway. In addition, co-founders Richard Liu and Erbil publicly clarified that the exploit affected only protocol fees and pool-owner fees. They also reiterated that user capital, PST, and the Solana-based v2 protocol remain unaffected.
This distinction matters because Huma v2 operates as a ground-up rewrite rather than a direct continuation of the vulnerable v1 contracts. As a result, the vulnerability in the Polygon legacy pools does not appear to carry over into the current Solana-based system.
Meanwhile, security firms including Blockaid and ExVul published on-chain analysis that supported the limited-scope assessment. Huma also said it will share further technical details as its root-cause investigation continues.
This exploit highlights a recurring DeFi security problem: legacy contracts can remain risky even after a protocol migrates to newer infrastructure.
In practice, old contracts can become “zombie” risk surfaces when teams leave residual assets, fee balances, or administrative flows inside them. Even if the active protocol has moved on, attackers can still target those remaining balances if the contracts retain exploitable logic.
For Huma, the immediate financial damage appears contained. The attacker drained about $101,400, and Huma says user funds, PST, and v2 operations remain safe. That limits the direct impact on the protocol’s core PayFi business.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
ZachXBT Exposes US Threat Actor Tied to $19M in Crypto Thefts
ZachXBT Accuses Bitget of Enabling Scams, Names Shawn Liu
Roaring Kitty X Account Hacked to Launch $RKC Token
Huma Finance Hit by $101K Legacy Contract Exploit
ZachXBT Exposes US Threat Actor Tied to $19M in Crypto Thefts
ZachXBT Accuses Bitget of Enabling Scams, Names Shawn Liu
Roaring Kitty X Account Hacked to Launch $RKC Token
Huma Finance Hit by $101K Legacy Contract Exploit
