New hack on Polygon: What happened at Huma finance?

Huma Finance lost $101,000 in a Polygon exploit. Learn about the risks of older smart contracts and how to stay safe in DeFi.

Written by Charles Ledoux

Adapted by May 13, 2026 at 16:33 by Simon Dumoulin

Hacker en capuche avec un masque anonymous et un fond rouge avec des Bitcoin qui volent

Copié

A Surprise Hack on Polygon: What Happened to Huma Finance?

On May 11, 2026, the decentralized finance ecosystem was shaken once again. A critical flaw allowed an attacker to siphon approximately $101,400 in USDC and USDC.e from the liquidity pools of Huma Finance on the Polygon network. According to on chain data, the attack was executed in a single transaction, exploiting a logic vulnerability rather than a cryptographic flaw.

Earlier today a vulnerability in Huma’s legacy v1 contracts on Polygon was exploited for 101,400 USDC.

No user funds at risk and PST is not impacted. Huma’s v2 system on Solana is a complete rewrite and this issue does not apply to v2 systems.

The teams were already in the… https://t.co/DFjpamH2PW
— Huma Finance (@humafinance) May 11, 2026

Since the incident, security firm Blockaid revealed that the issue stemmed from the refreshAccount() function. This bug allowed an unauthorized account status to be changed to “GoodStanding”, thereby bypassing all approval steps. The attacker was able to drain the reserves without triggering a single alert, causing a temporary bearish sentiment around the protocol’s aging infrastructure.

V1 vs V2: Why Is This DeFi Issue So Massive?

This exploit highlights a persistent problem in DeFi: the management of legacy smart contracts. The attack targeted the V1 BaseCreditPool contracts, an obsolete architecture that developers were already in the process of deprecating. On the blockchain, a deployed contract remains active indefinitely, creating “zombie contracts” that become prime targets for hackers.

Fortunately, the Huma Finance team reacted swiftly by pausing all remaining V1 contracts. They also confirmed that their V2 system, entirely rebuilt on the Solana blockchain, is completely unaffected. User funds on this new version, as well as the PST token, are safe. This technological transition to Solana proves the importance of a modern architecture to prevent these kinds of disasters.

Huma Breaks All Records

Furthermore, the PST token and the full V2 on Solana are already managing ~$179M in liquidity and $13 billion in volume. Indeed, this comes at a time when Huma Finance is experiencing massive expansion.

It feels good seeing how much @humafinance has grown in just 5 months.

Some recent Huma Finance stats:

🟫 Total Transaction Volume: $12,985,476,054
🟫 Origination Volume: $6,552,955,265
🟫 Payback Volume: $6,432,520,789
🟫 Total Active Liquidity: $178,865,230
🟫 PayFi Assets:… https://t.co/3exe1cp0fp pic.twitter.com/ykosLyAq43
— Timi (@timiondegen) May 11, 2026

As a reminder, Huma Finance is the first PayFi network (Payment Finance), a DeFi infrastructure that allows businesses and institutions to instantly access liquidity to finance their global payments (invoices, cross border payments, credit card settlements, etc.).

In short, the blockchain tokenizes future payment flows to offer real time credit while generating yield for liquidity providers. In just 5 months, the protocol has exploded with nearly $13 billion in total transaction volume (including $6.55 billion in origination and $6.43 billion in repayments), $178.87 million in active liquidity, $130.17 million in PayFi assets, and over 119,800 depositors. These impressive figures demonstrate the strong adoption of this new category that bridges DeFi and traditional finance.

Are DeFi Protocols Really Ready for the Next Bull Run?

This incident on Polygon, occurring shortly after other similar attacks, raises crucial questions about the overall security of DeFi. While the market is hoping for a new rally and many tokens are targeting a new ATH, the persistence of these vulnerabilities on older versions could slow down institutional adoption.

Moreover, Huma Finance was in the midst of an adoption boom. We can only hope that this incident will not have too much of an impact moving forward. Huma’s quick and effective reaction is already a positive point. However, the resurgence of DeFi hacks and smart contract vulnerabilities remains a major concern for the long term.

To conclude, developers must absolutely secure or destroy their legacy contracts before launching new iterations. Without a massive cleanup of these historical flaws, other protocols could see their liquidity vanish overnight. Are your cryptos truly safe on protocols that have not yet shut down their old versions?

Sources:

Related Articles:

Charles Ledoux

Charles Ledoux is a Bitcoin and blockchain technology specialist. A graduate of the Crypto Academy, he has been a Bitcoin miner for over a year. He has written numerous masterclasses to educate newcomers to the industry and has authored over 2,000 articles on cryptocurrency. Now, he aims to share his passion for crypto through his articles for InvestX.

DISCLAIMER
This article is for informational purposes only and should not be considered as investment advice. Some of the partners featured on this site may not be regulated in your country. It is your responsibility to verify the compliance of these services with local regulations before using them.

DISCLAIMER

This article is for informational purposes only and should not be considered as investment advice. Trading cryptocurrencies involves risks, and it is important not to invest more than you can afford to lose.

InvestX is not responsible for the quality of the products or services presented on this page and cannot be held liable, directly or indirectly, for any damage or loss caused by the use of any product or service featured in this article. Investments in crypto assets are inherently risky; readers should conduct their own research before taking any action and invest only within their financial means. This article does not constitute investment advice.