Huma Finance Hack: $101K Drained From Polygon V1 Legacy Pools
The Huma Finance hack drained about $101,400 from deprecated Polygon V1 BaseCreditPool smart contracts. Blockaid traced the breach to flawed account validation in refreshAccount(), where an attacker manipulated an account status to “GoodStanding” and then enabled unauthorized drawdown() via coordinated transactions.
Key losses included ~82,315 USDC from one affected pool and additional USDC.e balances from two other contracts. Huma says this involved legacy paths like requestCredit() and refreshAccount() that may remain reachable if legacy contracts are not fully retired.
Crucially, Huma Finance insists user funds were not at risk because its newer Solana-based V2 infrastructure is isolated and does not share code with the compromised Polygon V1 deployments. Still, the incident underscores broader DeFi risk from technical debt: dormant functions, leftover approvals, residual balances, and hidden attack surfaces. (Related same-day Polygon incident: Ink Finance lost nearly $140,000 from its Workspace Treasury Proxy contract.)
For traders, the Huma Finance hack is a short-term caution signal for Polygon DeFi exposure, particularly protocols relying on legacy contract patterns.
Bearish
This event is linked to a Polygon V1 legacy-contract exploit, and both summaries emphasize that legacy pathways can remain reachable even after migration. That increases perceived smart-contract risk across Polygon DeFi. In the short term, traders typically price in higher operational/security uncertainty, which can pressure Polygon DeFi sentiment and liquidity for MATIC-linked markets.
Even though Huma states its Solana-based V2 keeps active user funds isolated, the broader takeaway is still negative: technical debt, incomplete sunsetting, and residual balances can lead to repeat incidents. If similar legacy exposure is discovered in other Polygon protocols, it can extend the bearish tone for longer. Overall, the likely effect on MATIC is near-term sentiment deterioration, outweighing the reassurance provided by V2 isolation.