Security researcher recovers $2M in locked ETH from nine-year-old HongCoin bug
In brief
- 0xFlorent_ identified an integer-overflow bug in HongCoin's ICO contract trapping 1,003.62 ETH since August 2016.
- HongCoin team executed 41 on-chain transactions (May 26-30) to restore the refund mechanism without redeploying.
- Approximately 907 ETH remained claimable by May 31 as investors accessed refunds after nine years.
The Bug and the Trap
An integer-overflow bug broke the refund mechanism entirely. This type of flaw occurs when a number exceeds the maximum value a variable can store, causing it to wrap around to zero or some unintended value. The HongCoin ICO launched in August 2016, collecting ETH from 48 participants. When the token sale failed to hit its funding goal, the refund logic should have activated — but the integer-overflow flaw left the funds inaccessible for nearly a decade.
Legacy smart contracts like HongCoin were not written with tools like OpenZeppelin's SafeMath library, which was specifically designed to prevent integer-overflow errors. Solidity, Ethereum's primary programming language, didn't add built-in overflow protection until version 0.8.0, released in December 2020, years after the HongCoin contract was deployed.
The Recovery
Rather than exploiting the vulnerability directly, 0xFlorent_ validated the exploit in a local testing environment first, then privately shared the recovery methodology with the HongCoin team. Between May 26 and May 30, the HongCoin team executed 41 on-chain transactions to restore the contract's ability to process refunds.
No new smart contracts were deployed. No intermediaries were introduced. The fix allowed funds to flow back through the original contract without adding layers of complexity or trust assumptions. By May 31, when 0xFlorent_ publicly disclosed the vulnerability and the recovery process, approximately 907 ETH still remained in the contract after some investors began claiming refunds.
A Precedent in White-Hat Recovery
0xFlorent_ described it as the first white-hat exploit of this kind in Ethereum's history. The crypto community's response on social media has been broadly positive, with many pointing to the coordinated effort between researcher and team. No public statement has been issued by the HongCoin team regarding a potential bug bounty for the researcher, which is worth noting given the scale of the recovery.
Frequently asked questions
What is an integer-overflow bug?
An integer-overflow bug occurs when a number exceeds the maximum value a variable can store, causing it to wrap around to zero or an unintended value. In the HongCoin contract, this flaw broke the refund mechanism that should have activated when the token sale failed to hit its funding goal.
Why wasn't this bug caught earlier?
Legacy smart contracts like HongCoin were written before tools like OpenZeppelin's SafeMath library existed to prevent integer-overflow errors. Solidity itself didn't add built-in overflow protection until version 0.8.0 in December 2020, years after the HongCoin contract deployed in August 2016.
How did the researcher recover the funds?
The researcher (0xFlorent_) validated the exploit in a local testing environment, then privately shared the recovery methodology with the HongCoin team. The team executed 41 on-chain transactions to restore the refund mechanism without deploying new contracts or introducing intermediaries.
