A pseudonymous white hat researcher has recovered more than 1,003 ETH — roughly $2 million — that had been trapped in a faulty Hong Coin (HONG) ICO smart contract since 2016. The funds, belonging to 48 original investors, were released after the hacker identified and exploited an administrative integer overflow bug that prevented the contract’s built-in refund mechanism from working.
Hong Coin launched its token sale on Aug. 29, 2016 and closed on Oct. 28, 2016. The project, billed as a decentralized autonomous organization for venture investing, failed to reach its fundraising target and so the ICO contract was supposed to automatically return contributors’ ETH. Because of a flaw in the refund logic, the money remained locked in the contract for nearly a decade.
The white hat, posting under the handle 0xflorent, said the recovery became possible after finding an overlooked admin function with an integer overflow vulnerability. Invoking that function with a specific input reset token-holder balances and allowed the refund conditions to execute properly — without moving funds out of the contract to a third party. The recovered ETH has begun to be returned to investors, according to on-chain records: one wallet received 96 ETH (about $192,500) and others have seen smaller refunds.
0xflorent worked with the original Hong Coin creators to demonstrate the fix and ensure the trapped funds could be released safely. The case adds to a recent pattern of ethical hackers intervening to secure or restore crypto assets after discovering smart contract and infrastructure weaknesses.
Earlier in May, security firm Blockaid reported a white hat incident involving Renegade.fi’s Arbitrum dark pool where an exploitable deployment error was used and most funds were returned. 0xflorent also disclosed separate recoveries in late May, including 19.33 ETH retrieved from a failed 2018 ICO and funds stuck in a cross-chain transfer involving Liquality Wallet.
This Hong Coin recovery highlights both the risks of long-lived smart contracts with subtle bugs and the growing role of benevolent security researchers who remediate legacy vulnerabilities and return value to affected users.