White-hat hacker recovers $2M from 2016 Hong Coin ICO smart contract
In brief
- White-hat hacker 0xflorent recovered $2 million in Ether from faulty Hong Coin ICO smart contract.
- Funds locked for nearly a decade due to refund function bug in 2016 ICO.
- Integer overflow vulnerability in admin function enabled recovery and refunds to 48 investors.
The Bug That Trapped Funds
The Hong Coin ICO started on Aug. 29, 2016, and ended about two months later on Oct. 28. Investors who sent ETH to the HONG smart contract were supposed to receive 250 million HONG tokens distributed across five stages. The contract held all the capital and was designed to auto-refund participants if the venture didn't meet its target.
But something broke. A bug in the refund function quietly prevented automatic refunds, and the funds got stuck. For years, those 48 investors had no way to recover their Ether.
Finding the Exploit
Enter 0xflorent, a white-hat hacker who identified a path forward. The recovery was enabled by exploiting a flawed admin function with an integer overflow vulnerability. By calling this function with a specific input, the hacker could reset a holder's balance and unblock the refund check.
"The contract held all the investors' ETH and was supposed to auto-refund them. However, a bug in the refund function quietly broke that, and the funds got stuck." — 0xflorent, white-hat hacker
Refunds Begin
The recovery is now underway. One Hong Coin investor has already been refunded 96 ETH, now worth about $192,500. With the admin function exploit documented and shared, the remaining 47 investors can now access their capital. It's a reminder that even abandoned smart contracts can be salvaged when security researchers apply their skills to help rather than harm.
