Behold, the tale of a logic bug, a mischievous glitch in Huma’s legacy V1 Polygon credit pools, which allowed an audacious soul to siphon $101,400 in USDC, while its Solana-based PayFi V2 and PST token danced unscathed, as if untouched by the tempest.
~$101.4K (USDC + USDC.e),” with the team confirming the incident was confined to the shadows of deprecated contracts rather than the vibrant heart of live production vaults. A detailed write-up from Web3 security firm Blockaid, cited by CryptoTimes, attributes the loss to a logic flaw in a function called refreshAccount(), which, with the cunning of a fox, changed an account’s status from “Requested credit line” to “GoodStanding” without the necessary checks.
This bug, a sly trickster, allowed the attacker to bypass the gates of access controls and withdraw funds as if they were a favored guest. Blockaid’s analysis reveals that approximately 82,315.57 USDC vanished from one contract (0x3EBc1), 17,290.76 USDC.e from another (0x95533), and 1,783.97 USDC.e from a third (0xe8926), all in a meticulously orchestrated sequence, executed in a single transaction. The exploit, a master of deception, did not involve breaking cryptography or private keys, but rather manipulating the very fabric of business logic so the system “thought” the attacker was permitted to claim their prize.
Huma, ever the diligent steward, had already been winding down its V1 liquidity pools on Polygon when the exploit struck, and has now fully paused all remaining V1 contracts to avert further peril. In its disclosure, the team emphasized that Huma 2.0 – a permissionless, composable “real-yield” PayFi platform that launched on Solana in April 2025 with the backing of Circle and the Solana Foundation – is “a complete rebuild,” a new dawn with a different architecture, unshackled from the vulnerable V1 code.
Huma 2.0’s design, a symphony of innovation, centers on the $PST (PayFi Strategy Token), a liquid, yield-bearing LP token that embodies positions in payment-financing strategies and can be woven into the fabric of Solana DeFi protocols such as Jupiter, Kamino, and RateX. By contrast, the exploited V1 contracts were part of an older, permissioned credit-pool system on Polygon, now a relic of a bygone era.
For users, the key takeaway is that the $101,400 USDC loss targeted the shadows of legacy protocol-level liquidity rather than individual wallets, and that current deposits and PST positions on Solana are reported as safe. Yet, the incident adds another chapter to the long saga of DeFi exploits where the weak point was not the strength of signature schemes but the frailty of business logic in aging contracts – a reminder that even the grandest castles crumble if their foundations are not reinforced, and why teams like Huma are now forging new paths, and why users should treat “legacy” and “soon to be deprecated” pools with the same caution they reserve for unaudited code, lest they find themselves in the throes of a digital tragedy.
Read More
- Everything You Need To Know About Nikki Baxter In Stranger Things’ Animated Spinoff
- The Boys Season 5, Episode 5 Ending Explained: Why Homelander Does THAT
- Taylor Sheridan’s Gritty 5-Part Crime Show Reveals New Final Season Villain
- FRONT MISSION 3: Remake coming to PS5, Xbox Series, PS4, Xbox One, and PC on January 30, 2026
- How to Build Water Elevators and Fountains in Enshrouded
- USD JPY PREDICTION
- Why There’s No Ghosts Tonight (Nov 27) & When Season 5, Episode 7 Releases
- Mark Zuckerberg & Wife Priscilla Chan Make Surprise Debut at Met Gala
- Welcome to Demon School! Iruma-kun season 4 release schedule: When are new episodes on Crunchyroll?
- From season 4 release schedule: When is episode 2 out on MGM+?
2026-05-11 23:06