Security researcher frees $2M in ETH from 2016 Hongcoin bug

Security researcher 0xflorent recovered 1,003.62 ETH, about $2 million, that had been trapped in a Hongcoin smart contract since a 2016 ICO. The researcher used an integer-overflow condition in an admin function tied to the project’s multisig wallet to enable refunds to original contributors.

Hongcoin, deployed in 2016 as a community-run decentralized investment fund, failed to reach its funding target and was meant to issue automatic refunds. A flaw in the refund logic compared each holder’s token balance to a global counter that had been reduced over time to 356. That comparison capped refunds at 3.56 ETH per address and left 48 investors unable to recover larger balances. The contract is publicly viewable at address 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9.

The exploitable code was an admin-only function originally intended to mint bounty tokens. The function lacked overflow protections common in modern Solidity code. By providing a specific input value, the function caused the contract to wrap a holder’s token balance down to 1, which bypassed the refund check and allowed the contract to release the associated ETH to the holder. Florent described the action as the “first white-hat exploit on Ethereum,” and said the method did not change ownership or create any new control paths in the contract.

Before acting on mainnet, Florent tested the entire unlock sequence on a local Foundry fork and contacted the dormant Hongcoin team by email. The team’s multisig signed 41 transactions, one for each blocked holder requiring the balance reset. Seven holders with smaller balances were able to claim refunds without the workaround. The coordinated recovery took about a week and, as of June 1, 2026, all 1,003.62 ETH had been unfrozen.

Two investors have claimed a combined 96.5 ETH, roughly $193,000, and voluntarily offered a bounty; Florent accepted no fees, cuts, or commissions. Approximately 882 ETH remains available for other original contributors to claim.

Florent publicly returned 19.329 ETH on May 24 from a separate 2018 ICO contract and expired atomic swaps linked to a defunct wallet. He uses custom scanning tools and a self-hosted Ethereum node to find contracts holding more than 100 ETH and noted that many older contracts are forks of one another, which can concentrate similar vulnerabilities. He also used an AI-assisted tool, Claude Code, to speed analysis but warned it can be overly pessimistic about some contracts.

Hundreds of contracts from the 2016–2017 ICO period still hold locked funds that contributors largely abandoned. The Hongcoin recovery required targeted technical analysis, local testing, and cooperation from the project’s multisig to return funds to original holders without adding any new access mechanisms.