
Huma Finance said a vulnerability in its legacy V1 contracts on Polygon was exploited for about $101,400 in USDC and USDC.e. The Huma Finance exploit matters because the team says current user deposits, PST and its Solana V2 system were unaffected, shifting the story from active protocol failure to legacy-contract risk.
Huma Finance exploit hit deprecated Polygon V1 pools
Huma Finance said its legacy v1 contracts on Polygon were exploited for 101,400 USDC, while stressing that user funds were not at risk, PST was not impacted, and its v2 system on Solana was a complete rewrite unaffected by the issue. Blockaid flagged the exploit as affecting Huma Finance’s deprecated V1 BaseCreditPool deployments on Polygon, with roughly $101,400 drained in USDC and USDC.e.
BaseCreditPool logic created the attack surface
The exploit appears to have centered on old BaseCreditPool contracts and their handling of credit-state logic. Blockaid’s alert put the affected surface at deprecated V1 BaseCreditPool deployments on Polygon. Crypto Briefing reported that the attacker drained 82,316 USDC and 19,075 USDC.e from deprecated V1 BaseCreditPool contracts through unauthorized drawdowns. That means the attacker did not need a market crash, oracle failure or governance takeover. The pathway sat inside contract logic that decided whether funds could be drawn.
That is why the case fits Cryptic Daily’s Web3 Fraud Files . A legacy pool can still become a live loss vector if users, protocol fees or owner balances remain inside it. A product migration does not automatically remove the old contract from the chain. Unless access is blocked, funds are removed and permissions are cleaned up, the risk remains public.
On-chain impact was limited to protocol-side value
Huma said the vulnerability affected its old V1 contracts and that user funds were not at risk. Crypto Briefing reported that the losses were confined to pool owner fees and protocol fees, not customer deposits. That is an important trust distinction because DeFi exploit headlines often merge treasury exposure, protocol-fee loss and user-deposit loss into one figure.
The amount also needs precision. The commonly cited total is 101,400 USDC, and Huma’s official statement says the exploit hit legacy v1 contracts rather than current user funds. The suspected exploit flow can be cross-checked against the Polygon transaction record, which provides the transaction hash and event-level blockchain data.
The risk is not only the size of the loss. The risk is that the affected contracts were outdated and still capable of releasing value. A smaller exploit can still signal poor contract retirement discipline. Huma’s case sits next to other recent incidents where old or custom infrastructure created the loss path,
including legacy swap contracts, obsolete routers and dormant pools that remained reachable after users moved elsewhere.
Huma says PST and Solana V2 were unaffected
Huma drew a clear line around what was not affected. The team said PST was not impacted, user funds were not at risk, and its V2 Solana system is a full rewrite that does not inherit the same vulnerability. That message was necessary because Huma has been building around PayFi infrastructure and tokenized yield products, where confidence depends on clean separation between old and current systems. Crypto Briefing reported the same user-funds and V2-containment framing while adding the USDC and USDC.e token split. Users still need a full technical postmortem to understand why the V1 contracts retained exploitable value.
This matters for builders beyond Huma. A rewrite can reduce inherited technical risk, but it does not erase risk left behind. Teams building across Polygon, Solana, Ethereum and other networks need a migration plan that covers old contracts, not just new code. Cryptic Daily’s Web3 Builder coverage often focuses on new infrastructure, but the security lesson here is that abandoned infrastructure can damage the new product’s trust.
The old-contract problem keeps repeating across DeFi
The Huma Finance exploit is part of a wider pattern: deprecated contracts remain one of DeFi’s most persistent weak points. Teams ship new versions, move liquidity, change chain strategy and rewrite systems, but the original contracts stay on-chain. If those contracts still hold balances, accept calls or depend on old assumptions, attackers can revisit them long after the main product has moved on. This pattern appeared in Transit Finance’s recent incident, where a deprecated TRON contract was exploited after the platform had already moved away from the old version. It also appears in custom RFQ and treasury systems where permissions or approvals remain live even after an interface changes. The technical issue varies. The operational issue is the same: retirement is a security process, not a release note. For Huma, the strongest public claim is that the active V2 system was isolated from the V1 failure. That is good for containment. Still, the market will judge whether the team can show complete decommissioning of the old Polygon contracts, removal of remaining value, and monitoring for any other deprecated pools. A legacy exploit becomes more damaging if it reveals a repeatable process gap.
What Huma must publish before confidence returns
Huma’s next credible milestone is a full incident report that names the affected V1 BaseCreditPool contracts, lists the exploit transactions, explains the credit-lifecycle flaw, and states whether all remaining V1 operations have been halted. Some reports say V1 operations were fully suspended after the incident, but users need that confirmed through official Huma channels with contract-level detail.
The report should also separate three balances: user deposits, pool owner fees and protocol fees. Huma has said user funds were not at risk, but a postmortem should show how that separation worked in practice. It should also explain whether any remaining permissions, borrower states or pool functions could create future exposure.
The remediation plan should include old-contract monitoring, public contract registries, deprecation warnings, removal of residual balances and documented shutdown steps. If a contract cannot be disabled, teams should still publish what remains callable and why it no longer holds funds. That is the minimum standard for a protocol that has moved to a rewritten system. Huma’s next signal is whether the team publishes contract-level evidence showing that the May 11 exploit was confined to deprecated Polygon V1 pools and cannot repeat through other legacy routes. Until that postmortem lands, the core user takeaway is narrow but serious: current systems may be safe, but old contracts can still carry real financial risk. This article is for informational purposes only and does not constitute financial or investment advice.
Reference Desk
Sources & References
Zashleen Singh doesn't just report on Web3 she digs into it. With a background in software development across top tech companies and the Web3 space, she brings a developer's precision to investigative journalism. Specialising in crypto fraud, decentralised applications, and Web3 infrastructure, she has covered over 200 blockchain projects and broken major rug pull investigations that sparked real community action.
Continue Reading
Related Articles
Additional reporting and adjacent stories connected to this topic.
May 18, 2026
Adshares Bounty Claim Needs Proof After $628K Hack
Adshares’ reported bridge exploit has moved into a recovery phase, but public evidence for a 10% bounty offer still needs official confirmation. The case shows why exploit recovery claims need the same verification standard as attack reports.

May 18, 2026
NBI Crypto Scam Raid Arrests 15 in Mandaluyong Case
Philippine investigators arrested 15 people in Mandaluyong after raiding an alleged crypto investment scam hub using a spoofed website. The case shows how organized fraud desks package crypto promises through social engineering and forged digital systems.

May 18, 2026
Ripple CTO Scam Warning Targets Fake XRP Giveaways
Ripple CTO David Schwartz warned XRP users that fake airdrops, giveaway posts and impersonator accounts have surged across social platforms. The alert puts wallet-drainer risk back at the center of XRP Ledger user security.



