Overview
- Huma disclosed Monday that deprecated V1 BaseCreditPool contracts on Polygon were exploited for about $101,400 in USDC and USDC.e.
- Security firm Blockaid traced the theft to a refreshAccount() bug that flipped an account into GoodStanding without proper checks, enabling unauthorized drawdowns.
- On-chain data shows 82,315.57 USDC left contract 0x3EBc1, 17,290.76 USDC.e left 0x95533, and 1,783.97 USDC.e left 0xe8926 in a single scripted sequence.
- Huma paused all remaining V1 contracts and said no user deposits, the PayFi Strategy Token, or its Solana-based V2 system were affected.
- The loss fell on protocol and pool-owner fees rather than customer wallets, and the incident is speeding Huma’s shift to its permissionless V2 as market reaction stayed muted.