More than 1,003 Ether, worth roughly $2 million, have been recovered from a failed 2016 ICO dubbed Hong Coin after a white hat hacker found a way to unlock funds that had remained trapped in a faulty smart contract for nearly 10 years.
Summary
- A white hat hacker helped recover 1,003 ETH worth about $2 million from a failed 2016 Hong Coin ICO contract.
- The funds remained locked for nearly a decade after a bug prevented investors from receiving automatic refunds.
- Recovery became possible after the hacker identified an integer overflow flaw and worked with the project’s creators to unlock the refund mechanism.
According to a Sunday post on X by pseudonymous white hat hacker 0xflorent, the recovered ETH belonged to 48 investors who participated in the Hong Coin (HONG) token sale, a decentralized venture capital project that never launched after failing to meet its fundraising target.
As explained by 0xflorent, the ICO contract was designed to automatically return investors’ ETH if the funding goal was not reached. A flaw in the refund function prevented that process from working, leaving the funds permanently locked despite the sale ending without success.
Blockchain records from Etherscan show refunds have already started. One investor received 96 ETH, currently valued at about $192,500, while another wallet recovered 0.5 ETH.
Hong Coin was introduced in 2016 as a decentralized autonomous organization focused on venture capital investing. A promotional video published at the time described a structure where token holders would vote on projects that could receive funding from the community-managed pool.
The ICO opened on Aug. 29, 2016, and concluded on Oct. 28, 2016. Participants who contributed ETH were expected to receive a share of 250 million HONG tokens distributed across multiple funding stages. Because the project did not achieve its fundraising target, investors became eligible for refunds under the smart contract’s rules.
Integer overflow bug provided path to recovery
Detailing the recovery process, 0xflorent said the solution emerged from an overlooked administrative function that contained an integer overflow vulnerability.
According to the white hat, invoking the function with a specific input reset a token holder’s balance and allowed the contract’s refund conditions to execute correctly. Working alongside the original HONG creators, 0xflorent demonstrated how the flaw could be used to release the trapped ETH without moving funds outside the contract.
“The way out was an admin function with an integer overflow vulnerability,” 0xflorent wrote on X. “Calling it with a specific input resets a holder’s balance and unblocks the refund check.”
The recovery adds to a growing list of cases where white hat hackers have intervened to secure or return cryptocurrency funds after identifying vulnerabilities in smart contracts and protocol infrastructure.
Earlier in May, blockchain security firm Blockaid reported that a white hat attacker exploited a vulnerability in Renegade.fi’s Arbitrum-based dark pool, temporarily draining about $209,000 before returning more than 90% of the assets.
According to Blockaid, the issue stemmed from deployment and migration errors that allowed unauthorized modification of a smart contract connected to the protocol’s V1 dark pool.
In messages published on-chain following that incident, the Renegade exploiter argued that exposing the weakness was the safest way to protect user funds and pointed to the simplicity of the vulnerability as evidence that more malicious attackers could have caused far greater losses.
Separately, 0xflorent disclosed on May 24 that they had also recovered a combined 19.33 ETH, worth roughly $40,600 at the time, from a failed January 2018 ICO project and from a Liquality Wallet user whose funds became trapped in a cross-chain transfer protocol.
