Huma Finance, a prominent Payment Finance (PayFi) protocol, reported an exploit on the first version of its Polygon-based smart contract on Monday. An update shared by the protocol on confirming the incident on X left its users and the broader crypto community concerned.
The attackers drained an estimate of over $101,000 from Huma Finance’s legacy BaseCreditPool contract, that was deployed on the Polygon network.
Originally launched in 2023, Huma Finance allowed payment institutions to tap into on-chain liquidity for real-world applications including international settlements, credit card settments, and trade finance among others.
Its first V1 contract was launched in 2023 on Polygon following a seed funding of $8.3 million. While V1 established the protocol’s foundation in the PayFi arena, the ecosystem went through a major upgrade last year with the launch of Huma 2.0 (V2) in April last year. This version has been built on the Solana network, that also supports the protol’s native HUMA token.
In Monday’s breach, the attackers drained Huma’s V1 protocol, that had been rather dormant since last year. The Polygon contract that was breached was old and deprecated.
The user funds on Huma Finance’s Solana contract are safe, the protocol noted. On-chain research platform Blockaid said the attackers targeted a bug on Huma’s V1 that manipulated the “refresh account” function to bypass the process of acquiring the underwriter’s approvals. This triggered an automatic unauthorized credit request eventually leading to an immediate fund drain.
“The teams were already in the process of sunsetting all the legacy v1 pools, and have paused v1 completely now,” Huma Finance said, drawing the curtains on its V1 contract for good.
In the backdrop of this breach, the HUMA token registered a drop of around two percent to trade at $0.02 at the time of writing, data by CoinGecko showed. The network boasts of $13 billion in total transaction volume on its website along with $178.7 million in total active liquidity.
This year so far, more cyber attacks have been observed on DeFi protocols instead of centralized crypto platform.
Earlier this month for instance, an attacker drained around $293 million worth of rsETH tokens from KelpDAO, having exploited a vulnerability in a LayerZero bridge. Around the same time, decentralized liquidity provider TrustedVolumes was exploited for roughly $6 million.
Owing to a string of these DeFi-targeting attacks including Drift Protocol’s $285 million attack, malicious actors have reportedly stolen over $600 million from the DeFi space so far this year. In April, data by DefiLlama showed that the total value locked on popular DeFi apps have dropped by over $15 billion.
Source: DefiLlama
Attackers are getting more sophisticated in their attacks with AI tools, triggering discussions on overhauling the existing security systems with more advanced guardrails.