Back

HongCoin Investors Recover $2 Million After Nine-Year Lockup

Severity: Low (Score: 39.9)

Sources: Valuethemarkets, Theblock.Co, Cryptobriefing, www.coinage.media

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: contract, nine, years, million, locked, investors, recover

Summary

A security researcher named Florent discovered an integer-overflow bug in the HongCoin ICO smart contract, which had locked approximately 1,003 ETH (around $2 million) since 2016. The bug prevented refunds to investors after the ICO failed to meet its funding goal. Florent worked with the HongCoin team to patch the vulnerability without deploying new contracts, enabling investors to reclaim their funds. As of May 31, 2026, around 907 ETH remained available for claims, indicating many investors had yet to act. This incident highlights the risks associated with legacy contracts lacking modern protections. The HongCoin case serves as a reminder of the importance of reviewing older smart contracts to safeguard investor interests. Key Points: • A decade-old integer-overflow bug in HongCoin's ICO contract was fixed, unlocking $2 million. • The recovery process involved collaboration between the researcher and the HongCoin team. • 907 ETH remains available for investors to claim as of May 31, 2026.

Detailed Analysis

**Impact** Forty-eight investors in the 2016 HongCoin ICO were affected by an integer-overflow bug that locked approximately 1,003.62 ETH, valued at around $2 million as of 2026. The funds remained inaccessible for nine years, preventing investors from reclaiming their contributions. The recovery effort has enabled investors to begin claiming refunds, with roughly 907 ETH still unclaimed as of May 31. The event primarily impacts Ethereum-based DeFi investors and legacy ICO participants globally. **Technical Details** The vulnerability exploited was an integer-overflow bug in the HongCoin ICO smart contract, written in Solidity prior to version 0.8.0, which lacked built-in overflow protections. The bug caused the refund mechanism to fail by capping refunds due to a global counter underflow. The recovery was performed using a white-hat exploit leveraging an admin function restricted to the HongCoin multisig, resetting token balances to enable refunds without deploying new contracts. No malware or external infrastructure was involved, and no CVEs are referenced. **Recommended Response** Defenders should audit legacy smart contracts deployed before Solidity 0.8.0 for integer-overflow vulnerabilities and apply SafeMath or equivalent overflow protection libraries. Investors holding tokens from legacy ICOs should verify eligibility for refunds on affected contracts. Monitoring on-chain contract activity for unusual admin function calls related to refunds is advised. No immediate patching is possible for immutable contracts, so focus should be on responsible disclosure and coordinated recovery efforts.

Source articles (4)

  • HongCoin investors recover $2M in locked ETH after nine years — Cryptobriefing · 2026-05-31
    A white-hat researcher found an integer-overflow bug in a 2016 ICO contract, unlocking 1,003 ETH that 48 investors thought they'd never see again. A security researcher operating under the handle 0xFl…
  • HongCoin ICO Recovery: How a Decade-Old Bug Was Fixed and $2M Was Reclaimed — Valuethemarkets · 2026-05-31
    A security researcher fixed a decade-old bug in the HongCoin ICO smart contract, unlocking $2 million for investors to reclaim. The HongCoin initial coin offering started in August 2016 and attracted…
  • Dev helps rescue $2 million locked in 2016 ICO contract for nine years with whitehat exploit — Theblock.Co · 2026-06-01
    A developer known as Florent says he helped recover 1,003 ETH, worth roughly $2 million at current prices, that had sat trapped in a 2016 initial coin offering (ICO) contract for nine years. The contr…
  • He Stole 200 Million He Gave It Back Now Hes Ready To Explain Why — www.coinage.media · 2026-06-01
    In a Coinage exclusive, the hacker behind 2023's biggest crypto heist explains himself By: Zack Abrams, Edited by Zack Guzman In a matter of 18 minutes, on March 13, 2023, a hacker drained nearly $200…

Timeline

  • 2016-08-01 — HongCoin ICO launched: HongCoin's ICO began, attracting contributions in ETH from 48 participants but failed to meet its funding target.
  • 2026-05-26 — Vulnerability discovered: Florent found an integer-overflow bug in the HongCoin ICO smart contract that had locked funds since 2016.
  • 2026-05-30 — Funds unlocked: The HongCoin team executed 41 transactions to restore the contract's refund functionality, allowing investors to reclaim their ETH.
  • 2026-05-31 — Investors begin claiming funds: As of May 31, 2026, around 907 ETH remained accessible for investors to claim after the recovery process.

Related entities

  • Lazarus Group (Apt Group)
  • Euler Finance (Company)
  • Euler Labs (Company)
  • Forta (Company)
  • HongCoin (Company)
  • Hypernative (Company)
  • Kelp DAO (Company)
  • PeckShield (Company)
  • The HONG (Company)
  • Ethereum (Company)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • times.in (Domain)
  • 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9 (Eth)
  • Foundry (Tool)
  • Tornado Cash (Tool)
  • OpenZeppelin SafeMath (Platform)
  • SafeMath Library (Platform)
  • Solidity (Platform)
  • Integer Overflow (Attack Type)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed