Huma Finance Hit by $101K Loss in Polygon Smart Contract Exploit

Huma Finance has fallen victim to a security flaw in its V1 smart contracts on Polygon, resulting in a significant financial loss.

The exploit, which was reported by web3 security firm Blockaid, targeted BaseCreditPool deployments related to the company's older infrastructure. According to the researchers, the bug was found in a function named refreshAccount(), which unconditionally promoted a Requested credit line to GoodStanding without verification or conditions.

The attackers took advantage of this flaw and drained funds from the protocol's treasury pools, with losses totaling $101,400. The affected contracts have been paused, and Huma Finance has assured users that no funds are at risk. The company's V2 system, which runs on Solana, is not impacted by the exploit.

This incident is part of a larger trend of security flaws in smart contract design on Polygon. Just days ago, Ink Finance lost almost $140,000 from its Workspace Treasury Proxy contract due to a similar logic mistake. The back-to-back exploits have set a record for the worst month of smart contract losses in April 2026.