Security researcher recovers $2M from 2016 Ethereum ICO contract bug

The Stuck Funds

The HongCoin token sale was a 2016 ICO that fell short of its funding goal and was supposed to auto-refund investors' ether. But the refund function failed due to a flaw in how the contract tracked eligible claimants. The refund logic rejected any holder whose token balance exceeded a global counter that had been dragged down to 356 by years of partial refunds. This left 48 investors unable to retrieve their funds, even though they were entitled to them.

0xflorent discovered the root cause: an admin function lacked integer-overflow protections that later versions of Solidity built in by default. This oversight meant the team could fix the counter and unblock the trapped ether.

The Recovery Process

Because the admin function required HongCoin's multisig wallet to execute, 0xflorent emailed the team and validated the unlock sequence on a test fork before they signed the transactions. The HongCoin team signed 41 transactions, one per blocked holder, freeing the roughly 1,000 ETH that was truly stuck.

Two of the 48 eligible investors have already claimed their funds, retrieving a combined 96.5 ETH worth roughly $193,000.

A Pattern Emerges

This is the second such recovery 0xflorent has publicized in eight days. On May 24, he returned 19.329 ETH, worth about $40,590, to its original owners. That recovery included 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from expired atomic swaps in a Liquality Wallet user account that became inaccessible after the wallet shut down in 2024.

The back-to-back recoveries highlight how older smart contracts, written before Solidity's safety improvements, can trap funds indefinitely. Whitehat researchers willing to audit legacy code and coordinate with teams can still surface solutions for investors who've waited years.