Back

Investors Recover $2M in ETH from 2016 HongCoin ICO Contract

Severity: Low (Score: 27.9)

Sources: www.coinage.media, Cryptobriefing, Theblock.Co

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: contract, nine, years, million, locked, investors, recover

Summary

A security researcher known as 0xFlorent_ discovered an integer-overflow vulnerability in the HongCoin ICO smart contract, which had trapped 1,003 ETH worth approximately $2 million since 2016. The ICO, launched in August 2016, failed to meet its funding goal, and a bug prevented automatic refunds to investors. With the cooperation of the HongCoin team, the vulnerability was validated and patched, allowing investors to reclaim their funds. The recovery process involved 41 on-chain transactions executed by the HongCoin team between May 26 and May 30, 2026. As of May 31, 2026, many investors had not yet claimed their refunds, with 907 ETH still remaining in the contract. This incident marks a significant example of a white-hat exploit in Ethereum's history, highlighting the risks associated with legacy smart contracts. Key Points: • 1,003 ETH, worth $2 million, was trapped in the HongCoin ICO contract since 2016. • The recovery involved collaboration between the researcher and the HongCoin team to patch the vulnerability. • 907 ETH remains unclaimed by investors as of May 31, 2026.

Detailed Analysis

**Impact** Forty-eight investors in the 2016 HongCoin ICO were affected by a nine-year lockup of 1,003 ETH, valued at approximately $2 million as of June 2026. The funds were inaccessible due to a contract bug, preventing refunds after the ICO failed to meet its funding goal. Two investors have reclaimed about 96.5 ETH (~$193,000) so far, leaving roughly 907 ETH still unclaimed. The event primarily impacts Ethereum investors involved in legacy ICO contracts, with no direct operational or data loss reported. **Technical Details** The issue stemmed from an integer-overflow vulnerability in the HongCoin smart contract, deployed with an early Solidity version lacking built-in overflow protections. The refund function failed because a global counter used to validate token balances underflowed, capping refunds at an incorrect low value. The exploit leveraged an admin-only minting function to reset token balances, enabling refunds to process correctly. No new contracts were deployed; the fix involved 41 on-chain transactions executed by the original multisig team after private disclosure by the white-hat researcher 0xFlorent_. No malware or CVEs were referenced. **Recommended Response** Review and audit legacy smart contracts for integer-overflow vulnerabilities, especially those deployed before Solidity 0.8.0 or lacking SafeMath protections. Investors should verify eligibility for refunds on affected contracts and coordinate with contract owners for secure fund recovery. Security teams should monitor for unauthorized attempts to exploit similar overflow bugs and validate multisig transaction integrity. No immediate patching is possible for already deployed contracts beyond manual intervention and coordinated fixes.

Source articles (3)

  • HongCoin investors recover $2M in locked ETH after nine years — Cryptobriefing · 2026-05-31
    A white-hat researcher found an integer-overflow bug in a 2016 ICO contract, unlocking 1,003 ETH that 48 investors thought they'd never see again. A security researcher operating under the handle 0xFl…
  • Dev helps rescue $2 million locked in 2016 ICO contract for nine years with whitehat exploit — Theblock.Co · 2026-06-01
    A developer known as Florent says he helped recover 1,003 ETH, worth roughly $2 million at current prices, that had sat trapped in a 2016 initial coin offering (ICO) contract for nine years. The contr…
  • He Stole 200 Million He Gave It Back Now Hes Ready To Explain Why — www.coinage.media · 2026-06-01
    In a Coinage exclusive, the hacker behind 2023's biggest crypto heist explains himself By: Zack Abrams, Edited by Zack Guzman In a matter of 18 minutes, on March 13, 2023, a hacker drained nearly $200…

Timeline

  • 2016-08-01 — HongCoin ICO launched: The ICO aimed to raise funds but failed to meet its target, trapping investor ETH.
  • 2026-05-24 — Florent discovers vulnerability: 0xFlorent_ identifies an integer-overflow bug in the HongCoin contract that prevents refunds.
  • 2026-05-26 — Recovery transactions initiated: The HongCoin team begins executing on-chain transactions to restore refund capabilities.
  • 2026-05-30 — Recovery process completed: 41 transactions executed by the HongCoin team successfully unlock the trapped ETH for investors.
  • 2026-05-31 — Investors notified of recovery: Investors are informed to check eligibility for refunds, with 907 ETH still unclaimed.

Related entities

  • Lazarus Group (Apt Group)
  • Euler Finance (Company)
  • Euler Labs (Company)
  • Forta (Company)
  • HongCoin (Company)
  • Hypernative (Company)
  • Kelp DAO (Company)
  • PeckShield (Company)
  • The HONG (Company)
  • Ethereum (Company)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • times.in (Domain)
  • 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9 (Eth)
  • Foundry (Tool)
  • Tornado Cash (Tool)
  • OpenZeppelin SafeMath (Platform)
  • SafeMath Library (Platform)
  • Solidity (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed