Polygon V1 BaseCreditPool exploit: Huma Finance $101K drained
Huma Finance disclosed a Polygon V1 BaseCreditPool exploit on May 11, with losses of about $101K. The attacker carried out unauthorized drawdowns, draining 82,316 USDC and 19,075 USDC.e.
The issue traces to a credit-lifecycle logic/access-control flaw in the deprecated V1 contracts (a problem that should have been inactive). Huma says the Polygon V1 incident affected only pool owner fees and protocol fees, and did not impact user deposits. Huma also paused remaining V1 contracts on Polygon.
Importantly for traders: Huma’s Solana-based PayFi V2 deployment is described as structurally separated and fully operational, with no reported impact on PST (PayFi Strategy Token) holdings or on USD* backing strategies integrated on April 30.
Polygon V1 BaseCreditPool exploit updates mainly reinforce “legacy contract risk” in DeFi. With no claimed user-fund loss and clear architectural isolation from V2, market-wide contagion appears limited, but scrutiny of deprecated on-chain contracts and residual permissions is likely to increase. (Polygon V1 BaseCreditPool exploit keyword for tracking)
Neutral
The event is framed as contained: Huma attributes the Polygon V1 BaseCreditPool exploit to a logic/access-control flaw in deprecated contracts and says only pool owner and protocol fees were impacted, not user deposits. That reduces the likelihood of broader credit/deposit stress in the wider market.
Near-term, traders may react to legacy-contract and “pause/upgrade hygiene” headlines by monitoring related stablecoin and Solana ecosystem exposures, but the reported architectural separation from Solana PayFi V2 limits immediate contagion risk.
Over the long term, this incident can slightly raise perceived risk premia for DeFi protocols that retain old permissions or residual balances after migrations. However, with no claimed user-fund loss and explicit confirmation of V2 operational status, the net market impact on the involved assets is more likely neutral than bearish.