We’ve been working with @blockaid_ on investigating the legacy @humafinance v1 protocol exploit, and for transparency I’m sharing their excellent root cause analysis (link in the first reply). Here is a TL;DR and the key architectural learnings from the incident. 👇 TL;DR The Exploit: An attacker found a smart contract bug and drained ~$101K in leftover protocol and pool owner fees from three legacy v1 pools on Polygon. User Funds: Zero user funds were impacted. Isolation: This is strictly a v1 issue. It is completely unrelated to PayFi Strategy Tokens (PST), the permissioned v2 pools, or the permissionless programs (PST & Prime). Solana Programs: The Solana programs feature a fully redesigned architecture and do not contain the exploited functions or logic. Status: All v1 pools have been paused. Key Architectural Learnings On the surface, this was a smart contract bug in v1, launched in early 2023, but it highlights several critical protocol design and operational considerations where different paths should have been pursued: 1. Decouple state transitions from complex logic. Functions like _updateDueInfo() and _getDueInfo() carried high complexity to calculate dues and fees. Embedding state transitions within these complex functions is an anti-pattern. This complexity was recognized as unsatisfactory and was completely abandoned during the architecture of Huma v2 smart contracts. 2. Ruthlessly eliminate unused functions. requestCredit() was built to support future expansion but never actively utilized in operations. Non-critical functions inherently receive less testing and security scrutiny, creating an unnecessary attack vector. We even discussed removing it before launch, but kept it under the assumption that it doesn’t add much complexity. If a function isn't required for current operations, it shouldn't be in the contract. 3. Proactively migrate and close legacy pools. Leaving older contracts out on the blockchain creates unnecessary liabilities. With developers and attackers both leveraging AI extensively today, legacy contracts that haven't undergone AI-assisted audits are naturally more vulnerable. Older pools should be actively migrated and fully closed, rather than left running. We were in the process of sunsetting the v1 pools, but didn't have a chance to complete it. This is a hard lesson. But a hard lesson should never be wasted. Sharing these reflections to help the entire ecosystem in the joint defense against attackers. DeFi United, DeFi Strong! 🛡️

Huma's legacy v1 pools on Polygon were exploited earlier today. The impacted ~$101K funds are all protocol fee and pool owner fee. No user funds were impacted. All v1 pools are now paused. Huma’s Solana systems are completely rebuilt. The vulnerability in this exploit does not apply to our Solana systems. More update to follow.