Overview
- Huma Finance said an attacker drained about $101,400 from its deprecated V1 credit pools on Polygon that held USDC and USDC.e.
- Blockaid linked the theft to a bug in a refreshAccount function that switched accounts to GoodStanding and let the script pull funds like an approved borrower.
- Forensics show about 82,315.57 USDC left contract 0x3EBc1, 17,290.76 USDC.e left 0x95533, and 1,783.97 USDC.e left 0xe8926 in one bundled transaction.
- Huma paused all remaining V1 contracts and said its Solana PayFi V2 and the PST token, which tracks positions in payment finance strategies, were not touched.
- Market reaction stayed calm with the token near $0.022 as the loss was small and confined to legacy code that is being retired.