An Ethereum [ETH]-based initial coin offering (ICO) called HongCoin, introduced in 2016, recently made headlines after 1,003.62 ETH was recovered. This was made possible with the assistance of Florent, a white-hat security researcher. This was equivalent to $2 million, which had been locked for nine years. What caused the funds to be locked in for nine years? For context, investors were expected to receive automatic refunds of their contributions because the project had initially fallen short of its fundraising goal. Unfortunately, these repayments could not be made due to a defect in the contract's refund mechanism, which essentially locked the money indefinitely. During his investigation of the dormant contract, Florent found an integer overflow vulnerability in an administrator function. This vulnerability is typical of early Ethereum smart contracts and allows numerical values to wrap around when they surpass their upper limit. The researcher was able to avoid the flawed refund condition, reset a holder's balance, and regain access to the refund process without stealing or misappropriating any money by carefully crafting a specific input. How did Florent recover the locked funds? Following a successful recovery method test, the researcher shared the process with the HongCoin team, who subsequently carried out 41 on-chain transactions to unlock the trapped Ethereum. As a result, 48 original investors can now reclaim their funds, marking a rare example of a vulnerability being used for a beneficial purpose. However, this is not his first recovery of this kind. Florent previously had released 19.329 ETH, or roughly $40,590, from two previous contracts on 24 May. The first involved a failed ICO in January 2018 that involved 5.141 ETH and an unnamed public refund function. The second involved a Liquality Wallet user who claimed to have refunded 14.190 ETH from seven expired atomic swaps on the user's behalf after Liquality shut down its app in 2024. ETH's market dynamics At the time of writing, ETH was trading at $1,982.30, down 1.85% over the previous day and more than 13% over the previous month. On the contrary, Ethereum's Spot Taker CVD (Cumulative Volume Delta) has been primarily fluctuating between aggressive buying and selling streaks in 2026, indicating a fiercely competitive market. The press time data suggested that although buyers may still be in control, the strength of buying fell in comparison to previous peaks. This, after AMBCrypto recently revealed an exploit that used a well-known ERC4626 vulnerability class to drain about $152,000 from several lending markets. Final Summary White-hat security researcher Florent spearheaded the recovery after identifying an integer overflow vulnerability in the administrator function of the contract. 48 initial investors can now finally receive their money back as a result of this recovery.
1,003.62 ETH recovered after 9 years – How did a whitehat security researcher do it?
This article was originally published on AMBCrypto and is republished here under RSS syndication for informational purposes. All rights and intellectual property remain with the original author. If you are the author and wish to have this article removed, please contact us at [email protected].
