A Huma Finance exploit Polygon incident has put a familiar DeFi problem back in the spotlight: old contracts can stay dangerous long after a protocol has moved on. Huma Finance said roughly $101,000 was drained from its deprecated V1 BaseCreditPool contracts on Polygon on May 11, but user deposits were not affected.
The attacker pulled out 82,316 USDC and 19,075 USDC.e through unauthorized drawdowns, according to the protocol’s disclosure. Just as important for users, Huma said the losses were limited to pool owner fees and protocol fees, not customer funds.
That distinction matters. In crypto, the words “exploit” and “drained” can quickly trigger fears of wider contagion. Here, Huma drew a sharp line between the older Polygon-based system that was hit and the parts of the project still running normally, including PayFi Strategy Token (PST) and Huma’s V2 deployment on Solana.
Huma Finance discloses a $101,000 exploit on Polygon
The Huma Finance exploit Polygon users are now parsing traces back to deprecated infrastructure rather than the protocol’s current core operations. Huma said the affected contracts were the older V1 BaseCreditPool contracts on Polygon, which were already supposed to be out of commission.
The total amount drained was approximately $101,000. Broken down, that included 82,316 USDC and 19,075 USDC.e taken through unauthorized drawdowns.
Huma tied the incident to a credit-lifecycle logic error in those deprecated contracts. In plain terms, the flaw appears to have affected how the contracts handled stages of a credit line and who could trigger drawdowns under certain conditions.
Security experts described the issue as a preventable access-control flaw, not a novel zero-day attack. That makes this less a story about an unusually sophisticated breach and more a warning about the risks that linger when outdated smart contracts remain on-chain.
What was hit, and what was not
The protocol said the exploit was contained to the deprecated V1 BaseCreditPool contracts on Polygon.
What Huma said was not impacted:
- User deposits
- PayFi Strategy Token (PST)
- Huma’s V2 deployment on Solana
That separation is a big part of why the incident appears to have stayed relatively contained. Huma said the damage was limited to pool owner fees and protocol fees, which suggests the blast radius did not extend into the parts of the ecosystem most users would worry about first.
For DeFi users, this is the key takeaway. Not every exploit hits active customer balances, and in this case Huma said its live Solana V2 setup remained fully operational. The fact that PST was also unaffected helps narrow the scope of concern around the broader protocol.
Why the old contracts were vulnerable
At the center of the Huma Finance exploit Polygon incident was a credit-lifecycle logic error in deprecated contracts. Huma said the flaw involved the way the old smart contracts managed a credit line’s stages, particularly around drawdowns and permissions.
That matters because it points to a class of weakness DeFi projects know well but still struggle to eliminate: deprecated smart contracts. Even when a protocol upgrades, migrates, or shifts to a newer chain, the older code can remain live on-chain. If it still holds value or retains sensitive permissions, it can become an easy target.
A preventable access-control flaw in deprecated smart contracts
Security experts analyzing the incident characterized it as a preventable access-control flaw. That framing is important. It suggests the problem was not some entirely new attack method, but a weakness tied to contract design and controls.
Why this matters goes beyond Huma. DeFi often celebrates new versions, new chains, and faster rollouts. However, legacy code does not disappear just because user attention has moved elsewhere. The Huma Finance exploit Polygon case is a reminder that old systems can still carry real financial risk if they are not fully shut down, emptied, or otherwise hardened.
There is also a strategic lesson here for protocols expanding across chains. Huma’s current V2 deployment on Solana was not impacted, and that separation helped prevent the incident from becoming something larger. In practice, that kind of architectural distance can make the difference between a contained loss and a protocol-wide crisis.
Why this incident is drawing attention
On the surface, about $101,000 is not one of crypto’s biggest exploit totals. Still, the story stands out because it hits a recurring weakness in DeFi security: abandoned or semi-retired contracts that still exist in public view and can still be tested by attackers.
The incident also lands at a moment when Huma has been building around newer infrastructure. That makes the contrast sharper. The protocol’s older Polygon-based V1 contracts were exploited, while its Solana V2 system and PST remained untouched.
For investors and users, the message is fairly direct: newer deployments may be safer, but that does not automatically neutralize risks sitting in older code. In DeFi, migration is not the same thing as removal. And when deprecated smart contracts still have accessible value inside them, attackers notice.
Source: https://en.cryptonomist.ch/2026/05/12/huma-finance-exploit-polygon-v1/
