Huma Finance V1 Exploit: $101K Drainedfrom Polygon BaseCreditPool via Credit-State Logic Error

• Incident Date: May 11, 2026
• Target: Huma Finance deprecated V1 BaseCreditPool contracts on Polygon
• Target Overview: Huma Finance is a decentralized PayFi protocol that connects payment financing with on-chain infrastructure. Public statements scoped this incident to older V1 Polygon contracts that were already being phased out; Huma stated that PST and its V2 Solana system were not impacted.
• Total Loss: ~$101,400 in USDC and USDC.e
• Attack Vector: Credit Lifecycle Logic Error / Approval-State Bypass / Unauthorized Drawdown

---

Incident Review & Technical Details

1. Attack Path

1. Deprecated V1 Contracts Were Targeted: The attacker targeted Huma Finance's legacy V1 BaseCreditPool deployments on Polygon rather than the newer V2 Solana system.
2. Credit-State Validation Failed: Public reporting attributed the bug to the V1 refreshAccount() function. The vulnerable flow reportedly promoted a credit line from a requested state into GoodStanding without enforcing the expected approval checks.
3. Approval Step Was Bypassed: Once the account state was incorrectly advanced, the attacker could pass checks that should have blocked the credit line from drawing funds.
4. Unauthorized drawdown() Became Reachable: The incorrectly approved state enabled unauthorized drawdowns from the affected BaseCreditPool contracts.
5. Funds Were Drained Across Three Contracts: Blockaid-linked reporting identified losses of approximately 82,315.57 USDC, 17,290.76 USDC.e, and 1,783.97 USDC.e across three V1 BaseCreditPool contracts, totaling about $101.4K.
6. Single-Transaction Execution: Public reports described the exploit as a logic manipulation executed quickly in a single transaction, rather than a cryptographic break or private-key compromise.

2. Impact Scope

• Direct Losses: Approximately $101,400 in USDC and USDC.e was transferred from the affected legacy Polygon contracts.
• Affected Component: Huma Finance's deprecated V1 BaseCreditPool deployments on Polygon.
• Unaffected Systems: Huma stated that user funds were not at risk, PST was not impacted, and V2 on Solana was a complete rewrite that did not share this issue.
• Fund Type: CryptoBriefing reported that the damage was confined to pool owner fees and protocol fees, not user deposits.
• Operational Response: Huma said the team had already been sunsetting legacy V1 pools and fully paused V1 after the incident.

3. Root Cause Assessment

The incident fits a credit-state-machine authorization failure:

• State Transition Was Too Permissive: A credit line should not move from a requested state into a drawable good-standing state unless the required approval path has completed.
• Authorization Was Encoded Indirectly in Status: Once downstream drawdown checks trusted the account's status, a bad status transition became equivalent to granting drawdown authority.
• Legacy Code Still Had Live Value: Even deprecated contracts can retain balances, fee streams, or treasury-linked funds. If they remain callable, attackers can treat them as active targets.
• Pause and Decommission Lag Created Exposure: Huma had already been phasing out V1, but the exploit shows why decommissioning needs hard technical closure: pausing, draining residual balances, revoking permissions, and disabling sensitive state paths.

The key invariant should have been strict: refreshAccount() must never promote a credit line into a drawable status unless the expected approver, underwriting, and lifecycle conditions are all proven for that exact account.

4. Mitigation and Response

Recommended actions for credit pools, lending protocols, and PayFi systems:

• Require explicit approval records before any transition into a drawable or active-credit state.
• Bind drawdown eligibility to immutable credit-line terms, authorized approver records, borrower identity, pool ID, token, amount, and expiry.
• Add negative-case tests for every lifecycle transition: requested, approved, good standing, late, defaulted, closed, and revoked.
• Treat status fields as high-risk authorization inputs when downstream functions use them to release funds.
• Fully pause or decommission legacy pools by disabling state transitions, draining residual protocol-owned balances, revoking permissions, and monitoring any remaining callable contracts.
• Alert on unusual drawdowns from deprecated contracts, especially when the triggering account was recently created or recently promoted to an active state.

---

AUTOSEC.DEV Solution: Building a 360-Degree Defense

Huma Finance's V1 incident shows how a small lifecycle bug can become a fund-moving authorization bypass. In credit protocols, the status machine is not just accounting metadata; it is part of the security boundary.

1. Smart Contract Logic Audit: AUTOSEC.DEV reviews credit lifecycle transitions, authorization checks, borrower approval flows, drawdown logic, and pool-level accounting invariants.
2. State-Machine Security Testing: We build negative-case tests and fork simulations for invalid status promotions, unauthorized drawdowns, stale approvals, revoked borrowers, and deprecated pool paths.
3. Legacy Contract Risk Assessment: We identify phased-out pools, residual balances, live callable functions, fee balances, approvals, and admin paths that remain exploitable after migration.
4. Incident Response (IR): AUTOSEC.DEV supports exploit triage, affected-contract scoping, on-chain tracing, emergency pause guidance, and post-incident hardening for active DeFi incidents.

Service Content

• AUTOSEC.DEV - Secure Code Review
• AUTOSEC.DEV - Penetration Testing
• AUTOSEC.DEV - Incident Response Service

---

Reference

• https://x.com/humafinance/status/2053858499378258198