More than 1,003 ether, worth about $2 million, were recovered from a failed initial coin offering (ICO) in 2016 dubbed “Hong Coin” after a white hat hacker found a way to unlock funds that had been trapped in a faulty smart contract for nearly 10 years.
summary
- A white hat hacker helped recover 1,003 ETH worth about $2 million from a failed Hong Coin ICO contract in 2016.
- The funds remained locked for nearly a decade after a bug prevented investors from automatically receiving refunds.
- The refund was made possible after the hacker discovered an integer overflow flaw and worked with the project creators to unlock the refund mechanism.
According to a Sunday post on
As 0xflorent explained, the ICO contract is designed to automatically return ETH to investors if the funding goal is not reached. A flaw in the refund function prevented this process from working, resulting in funds remaining permanently locked even though the sale ended unsuccessfully.
Blockchain records from Etherscan show that refunds have already begun. One investor received 96 ETH, currently worth around $192,500, while another wallet received 0.5 ETH.
Hong Coin was introduced in 2016 as a decentralized, autonomous organization focused on venture capital investment. A promotional video posted at the time described a structure where token holders vote on which projects can receive funding from the community-run pool.
The ICO opened on August 29, 2016, and concluded on October 28, 2016. Participants who contributed ETH were expected to receive a stake of 250 million HONG tokens distributed across multiple funding stages. Because the project did not meet its fundraising goal, investors became eligible for a refund under smart contract rules.
Integer overflow error provides a recovery path
Detailing the recovery, 0xflorent said that the solution emerged from an deprecated administrative function that contained an integer overflow vulnerability.
According to white hat, calling the function with a specific input resets the balance of the token holder and allows the contract redemption conditions to be executed correctly. Working alongside the original HONG creators, 0xflorent demonstrated how the flaw could be used to release locked-up ETH without moving funds out of the contract.
“The exit was an administrative function with an integer overflow vulnerability,” 0xflorent wrote on X. “Calling it with a specific input resets the owner’s balance and unblocks the refund verification.”
This recovery adds to a growing list of cases in which white hat hackers have intervened to secure or return cryptocurrency funds after identifying vulnerabilities in… Smart contracts and protocol infrastructure.
Earlier in May, blockchain security company Blockaid I mentioned That a white-hat attacker exploited a vulnerability in Renegade.fi’s Arbitrum-based dark pool, temporarily draining about $209,000 before returning more than 90% of the assets.
According to Blockaid, the issue arose from deployment and migration errors that allowed unauthorized modification of a smart contract connected to the protocol’s V1 dark pool.
In messages posted on the chain after that incident, exploiter Renegade argued that disclosing the vulnerability was the safest way to protect users’ funds and pointed to the simplicity of the vulnerability as evidence that more malicious attackers could have caused much greater losses.
Separately, 0xflorent It has been detected On May 24, they also recovered a total of 19.33 ETH, worth about $40,600 at the time, from a failed ICO project in January 2018 and from a Liquality Wallet user whose funds became trapped in a cross-chain transfer protocol.
