Huma Finance Hit by Exploit on Polygon Network

Huma Finance has disclosed an exploit on the Polygon network, where approximately $101,000 was drained from its deprecated V1 BaseCreditPool contracts. The incident occurred on May 11, but fortunately, user deposits were not affected.

According to Huma, the attacker exploited a preventable access-control flaw in the outdated smart contracts, which managed credit lines and drawdowns. This weakness is a common issue in DeFi projects, where older code can remain live on-chain even after a protocol has upgraded or migrated to a newer chain.

The incident highlights the importance of securing legacy code and ensuring that abandoned contracts are properly shut down or hardened. Huma's separation of its V2 deployment on Solana from its Polygon-based V1 contracts helped contain the damage, limiting it to pool owner fees and protocol fees only.