Logic bug drains $101,400 from Huma's legacy Polygon credit pools, Solana PayFi V2 unaffected

Huma Finance's legacy V1 credit pools on Polygon were exploited due to a logic flaw, resulting in a loss of about $101,400 in USDC and USDC.e. The bug in the refreshAccount() function incorrectly changed borrower status, allowing an attacker to withdraw funds from treasury-linked pools in a single transaction. The exploit affected only deprecated contracts being phased out, with all V1 contracts now paused. Huma's current PayFi V2 platform on Solana, along with its PST token, remains secure and structurally separate from the vulnerable code. This incident highlights risks in legacy DeFi contracts and the importance of updated architectures.