Researcher recovers $2M stuck in 2016 HongCoin ICO

Security researcher Florent recovered about 1,003 ETH, roughly $2 million at current prices, that had been locked for nine years in the 2016 HongCoin (The HONG) ICO contract by using an admin function to reset token balances. The project’s multisig signers executed the unlock transactions after Florent mapped the fix.

The original token sale did not meet its funding goal and was designed to automatically refund contributors. A flaw in the contract’s refund routine caused the function to reject any holder whose token balance exceeded a global counter. Years of partial refunds reduced that counter to 356, which limited refunds to 3.56 ETH for larger holders and left roughly 1,003 ETH inaccessible.

The contract was compiled with an older version of the Solidity programming language that did not include built-in checks against arithmetic overflow. An admin function, intended to mint bounty tokens and restricted to the project’s multisig, could be called with a specific input that triggered an overflow and reset a targeted holder’s balance to 1. With the balance reset, the refund check passed and the ETH could be withdrawn.

Florent said he discovered the exploit path while running a self-hosted Ethereum node and validated the sequence on a Foundry mainnet fork. He contacted the HongCoin multisig, explained the sequence and provided the transactions. The multisig then signed 41 transactions, one per blocked holder, to free about 1,000 ETH. Seven other investors held small enough amounts to be refunded directly. The process took about a week from the first message to completion.

By Florent’s count, 48 original investors are now eligible to claim previously frozen funds. Two investors have reclaimed a combined 96.5 ETH and voluntarily sent a whitehat reward. Florent reported that no fee, cut or commission was taken.

Florent has carried out other recoveries. On May 24 he reported releasing 19.329 ETH from two older contracts: 5.141 ETH from a failed January 2018 ICO with an uncalled refund function, and 14.190 ETH tied to expired atomic swaps from a wallet user, which he refunded after the wallet app wound down. To find targets, Florent built a scanner that flags contracts holding more than 100 ETH and clusters contracts that are forks of one another, since the same flaw can repeat across copies.

Florent also used AI tooling to speed parts of the work, noting that a model helped sort and cluster contracts but can be misleading when asked to analyze raw smart-contract code. The recovery took place amid a period of frequent high-value losses in decentralized finance; security incidents and recoveries have continued to appear across the ecosystem.

“There were no fees, no cut, no commission,” Florent wrote, adding that curiosity and a desire to understand old contracts drove the effort.