VERDICT —UNRATED
Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
A logic flaw in Huma Finance’s deprecated V1 BaseCreditPool contracts on Polygon was exploited, draining approximately 101,400 USDC and USDC.e from accumulated protocol fees and pool owner fees. No user funds were at risk, PST token unaffected. The team had already been sunsetting V1 pools and immediately paused all V1 contracts. Huma’s V2 on Solana is a complete rewrite and remains secure. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 101,400.
Primary source
https://x.com/humafinance/status/2053858499378258198 ↗Sourced from
slowmist
Technical record
- chain
- solana
- protocol
- Huma Finance
- bug_class
- logic
- date_occurred
- 2026-05-11
- loss_usd
- $101,400
- source_id
- sm:huma-finance::2026-05-11
Related — same bug class· logic