Huma V1's BaseCreditPool exposed a refreshAccount() entry point that flipped borrower accounts into 'GoodStanding' state without verifying any of the underlying conditions that should gate that promotion (no payment history check, no credit-line health check, no caller-authorization check on who can refresh whom). With the account marked GoodStanding, the contract's drawdown() path permitted the attacker to withdraw against the credit line in a single scripted transaction. The attacker chained refreshAccount() → drawdown() across three deprecated V1 BaseCreditPool deployments to extract 82,316 USDC and ~19,075 USDC.e (~$101.4K combined) from pool-owner-fee and protocol-fee accumulations. Customer principal was not exposed. Per Huma's own post-mortem and external commentators, this is a preventable access-control flaw, not a novel zero-day — a textbook 'state-transition lacks the predicate it claims to enforce' bug, structurally visible in the deployed bytecode.
Method: refreshAccount() unconditional GoodStanding state flip → unauthorized drawdown. Root cause: Huma V1's BaseCreditPool exposed a refreshAccount() entry point that flipped borrower accounts into 'GoodStanding' state without verifying any of the underlying conditions that should gate that promotion (no payment history check, no credit-line health check, no caller-authorization check on who can refresh whom). With the account marked GoodStanding, the contract's drawdown() path permitted the attacker to withdraw against the credit line in a single scripted transaction. The attacker chained refreshAccount() → drawdown() across three deprecated V1 BaseCreditPool deployments to extract 82,316 USDC and ~19,075 USDC.e (~$101.4K combined) from pool-owner-fee and protocol-fee accumulations. Customer principal was not exposed. Per Huma's own post-mortem and external commentators, this is a preventable access-control flaw, not a novel zero-day — a textbook 'state-transition lacks the predicate it claims to enforce' bug, structurally visible in the deployed bytecode. Narrative: Huma Finance's deprecated V1 BaseCreditPool deployments on Polygon were drained for ~$101.4K via a refreshAccount() logic flaw that flipped borrower accounts into 'GoodStanding' without proper checks. The attacker scripted refreshAccount() → drawdown() across three V1 pool deployments (BaseCreditPool 0x3EBc..., 0x9553..., 0xe892...) to extract 82,316 USDC + 17,290 USDC.e + 1,783 USDC.e. Losses confined to pool-owner-fee and protocol-fee accumulations; user principal unaffected. Huma is accelerating its V2 migration on Solana. Attacker: 0x13B4...0DaF. Exploit contract: 0x44D4...22A3. Notes: Multiple victim contracts: 0x3EBc1f0644A69c565957EF7cEb5AEafE94Eb6FcE (82,315.57 USDC), 0x95533e56f397152B0013A39586bC97309e9A00a7 (17,290.76 USDC.e), 0xe8926aDbFADb5DA91CD56A7d5aCC31AA3FDF47E5 (1,783.97 USDC.e). User principal NOT at risk per Huma post-mortem. Attacker 0x13B44e416e0f66359502E843AF2e1191f1260DaF, exploit contract 0x44D4a434aE1529106e4B801315E22721978022A3. Attack tx: 0x7b8d641d76affcc029fd0e0f06ab81ad675b1da21ef79b82e1343016040ba359.
- chain
- polygon
- protocol
- Huma Finance V1 (deprecated)
- bug_class
- access-control
- date_occurred
- 2026-05-11
- loss_usd
- $101,400
- source_id
- ca:huma-finance-v1-polygon-2026-05-11