Huma Finance disclosed a $101,000 exploit this week that hit deprecated V1 contracts on the Polygon blockchain. The DeFi lending protocol said the attack targeted old smart contracts that were no longer actively maintained. No other systems or funds were affected, the firm added.
What went wrong
The exploit drained about $101,000 from the deprecated V1 contracts. Huma Finance did not name the attacker or specify how the vulnerability was triggered. The contracts were part of an earlier version of the protocol that had been phased out in favor of upgraded V2 infrastructure.
Deprecated code, persistent risk
Deprecated smart contracts often remain live on-chain even after a protocol moves to a new version. If they still hold tokens or have unrevoked permissions, they can become targets. In Huma's case, the V1 contracts apparently still held assets or had some lingering functionality that the attacker exploited. The company didn't disclose whether the V1 contracts had been fully disconnected from the protocol's core systems.
Huma Finance said it has contained the incident and is working with security partners. The platform hasn't shared a timeline for recovery or details on whether any funds can be retrieved. As of Friday, the V1 contracts remain a point of concern — and a reminder that old code doesn't always go away just because a protocol upgrades.
