Image Credit: Shutterstock
Key Takeaways
- Security researcher 0xflorent identified an unpatched integer-overflow bug in HongCoin’s 2016 ICO smart contract that had trapped approximately 1,003.62 ETH for nine years.
- The recovery required HongCoin’s multisig team to sign 41 separate transactions, one per blocked holder, after 0xflorent validated the unlock sequence on a test fork before touching the live network.
- This is 0xflorent’s second public smart contract recovery in eight days, following a separate May 24 recovery of 19.329 ETH from a failed 2018 ICO and expired atomic swaps.
A security researcher known as 0xflorent coordinated with the team behind a failed 2016 Ethereum token sale to unlock approximately 1,003.62 ETH, worth roughly $2 million, that had been frozen in a smart contract for nine years due to an unpatched integer-overflow bug.
Oxflorent Exploits Admin Function Flaw to Bypass Broken Refund Logic
The contract in question belongs to HongCoin, a 2016 token sale that fell short of its funding target and was designed to automatically refund investors’ Ether if it did so. That refund mechanism failed because of a bug in the contract’s refund function.
The flaw caused the contract’s internal counter to decrease over years of partial refunds until it reached 356, a value the contract’s logic translated into a maximum refund of 3.56 ETH per holder, blocking anyone whose token balance exceeded that amount.
0xflorent identified that an admin function within the contract, restricted to HongCoin’s multisig wallet, lacked the integer-overflow protections that were later incorporated into the Solidity programming language. By calling that function with a carefully chosen input value, a holder’s token balance could be reset to one, allowing the refund check to pass and releasing the previously inaccessible funds.
HongCoin’s Multisig Holders Signed 41 Transactions to Free Blocked Investors
The recovery was not a unilateral action by the researcher. Because the admin function required authorization from HongCoin’s multisig wallet, 0xflorent emailed the team directly, then validated the unlock sequence on a test fork of Ethereum’s mainnet before any transactions were executed on the live network. The HongCoin team itself signed the unlock transactions.
In total, the team signed 41 transactions, one for each blocked holder, freeing the approximately 1,000 ETH that was genuinely stuck. Seven additional holders carried balances small enough to be refunded directly, without requiring the workaround.
As of 0xflorent’s post on X on Sunday, 48 original investors are now eligible to reclaim their funds. Two have already done so, together retrieving 96.5 ETH valued at roughly $193,000.
Oxflorent’s Second Public Recovery in Eight Days
This marks the second such recovery 0xflorent has disclosed in the span of eight days. On May 24, he announced the return of 19.329 ETH, worth approximately $40,590, to its original owners.
That recovery included two separate components: 5.141 ETH from a failed January 2018 ICO, and 14.190 ETH from seven expired atomic swaps held in a Liquality Wallet user account that had become inaccessible after the wallet shut down in 2024.
