HongCoin investors recover $2M in locked ETH after nine years
A white-hat researcher found an integer-overflow bug in a 2016 ICO contract, unlocking 1,003 ETH that 48 investors thought they'd never see again.
Share
Add us on Google by Editorial Team May. 31, 2026A security researcher operating under the handle 0xFlorent_ discovered an integer-overflow vulnerability in the HongCoin ICO smart contract, a bug that had been quietly trapping 1,003.62 ETH, worth roughly $2 million at current prices, since the original token sale failed to hit its funding goal. With the HongCoin team’s cooperation, the flaw was patched and investors can now reclaim contributions they likely wrote off years ago.
How a decade-old bug kept $2M hostage
The HongCoin ICO launched in August 2016, collecting ETH from 48 participants. When the raise didn’t meet its target, the contract was designed to automatically refund contributors. An integer-overflow bug — a type of flaw where a number exceeds the maximum value a variable can store, causing it to wrap around to zero or some unintended value — broke the refund mechanism entirely. The ETH sat at contract address 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, visible on-chain but completely inaccessible, for nine years.
The rescue operation
Rather than exploiting the vulnerability directly, 0xFlorent_ validated the exploit in a local testing environment first, then privately shared the full recovery methodology with the HongCoin team.
AdvertisementBetween May 26 and May 30, the HongCoin team executed 41 on-chain transactions to restore the contract’s ability to process refunds. No new smart contracts were deployed. No intermediaries were introduced. The fix allowed funds to flow back through the original contract, meaning investors could claim their ETH directly.
By May 31, when 0xFlorent_ publicly disclosed the vulnerability and the recovery process, approximately 907 ETH still remained in the contract. That gap between the original 1,003.62 ETH and the remaining 907 ETH suggests that some investors had already begun claiming their refunds within the first few days, roughly 96 ETH worth of successful withdrawals.
0xFlorent_ described it as the first white-hat exploit of this kind in Ethereum’s history.
The bigger picture for legacy smart contracts
The HongCoin recovery highlights the risk posed by legacy contracts. These old contracts weren’t written with tools like OpenZeppelin’s SafeMath library, which was specifically designed to prevent integer-overflow errors. Solidity, Ethereum’s primary programming language, didn’t add built-in overflow protection until version 0.8.0, released in December 2020, years after the HongCoin contract was deployed.
The crypto community’s response on social media has been broadly positive, with many pointing to the coordinated effort between 0xFlorent_ and the HongCoin team as a template for how these situations should be handled. No public statement has been issued by the HongCoin team regarding a potential bug bounty for the researcher, which is worth noting given that the recovered value sits around $2 million.
What this means for investors
For the 48 original HongCoin investors, the immediate implication is straightforward: check whether your wallet address is eligible for a refund from the contract. With 907 ETH still sitting there as of May 31, a significant majority of affected participants haven’t claimed yet.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
