The contracts were dead, but someone forgot to bury them.
The Summary
- Huma Finance lost $101,400 USDC when an attacker exploited deprecated V1 contracts on Polygon that the protocol had stopped using months ago
- The exploit exposes a persistent DeFi problem: protocols migrate to new versions but leave old contracts live with accessible funds
- Legacy code isn't just technical debt—it's a liability that sits there until someone bothers to check if the door's still unlocked
The Signal
Huma Finance, a real-world asset protocol, discovered the exploit on their V1 contracts deployed on Polygon. The company had already moved operations to V2, but the old contracts remained active on-chain with funds still sitting in them. An attacker found the vulnerability and drained $101,400 in USDC before the team caught it.
This isn't a sophisticated zero-day attack. This is someone poking around abandoned infrastructure and finding money left behind. The V1 contracts were deprecated—meaning Huma had publicly moved on from them—but deprecation in DeFi doesn't mean deletion. The code stays live forever unless explicitly disabled.
"Deprecated contracts remain a critical attack surface that most protocols treat as resolved simply by launching V2."
The pattern repeats across DeFi: protocol ships V1, finds bugs or wants new features, ships V2, tells users to migrate, then... forgets V1 exists. Except V1 doesn't stop existing. It sits there with:
- Whatever funds users didn't migrate
- Whatever permissions weren't revoked
- Whatever vulnerabilities the team documented internally but never patched because "we're on V2 now"
The exploit highlights a structural problem in how DeFi handles legacy systems. Traditional finance has compliance frameworks, sunset procedures, mandatory fund transfers. DeFi has a Discord announcement and a hope that everyone reads it.
For Huma specifically, the timing is notable. The company focuses on tokenizing real-world assets—bringing traditional finance rails on-chain. They're pitching institutional partners on the stability and security of blockchain infrastructure. Then someone walks off with $101K from contracts the team thought were behind them. That's not the institutional-grade security story you want in the press.
The $101K loss is manageable for Huma. The reputational hit to the RWA narrative—that tokenized assets are more secure, more transparent, more auditable than traditional systems—is harder to price. One source frames this as exposing "ONE stubborn DeFi problem," and they're right: the industry keeps building forward without cleaning up backward.
The Implication
If you're running a DeFi protocol, audit what's still live. Not just your current contracts—every version you ever shipped that's still on-chain with any permissions or funds. Deprecation is a marketing term. On-chain, nothing is deprecated until it's explicitly killed.
For RWA protocols specifically, this is existential. You're asking institutions to trust that blockchain infrastructure is more robust than their current systems. Every exploit of "old code we're not using anymore" undermines that pitch. The bar for operational hygiene isn't DeFi-native standards. It's TradFi standards. That means formal sunset procedures, forced migrations, and actually turning things off.