Whitehat recovery of $2 million from a 2016 Ethereum ICO contract

A whitehat developer known as 0xflorent worked with the team behind the HongCoin token sale to unlock about $2 million in ether that had remained trapped for nine years after the contract’s refund function failed following the 2016 ICO. HongCoin was a 2016 token sale that failed to meet its funding goal and relied on an automated refund mechanism that did not return funds because of a bug in the refund function. The recovery unfroze 1,003.62 ETH and made funds available for 48 original investors to claim.

The HongCoin contract originated in a 2016 token sale that failed to meet its funding goal and was programmed to automatically refund investors. The automated refund mechanism did not return funds because a bug in the refund function prevented refunds from executing as intended. The refund function’s failure affected investors who were awaiting automated returns and required intervention to enable on-chain refunds. Certain administrative actions for the contract were restricted to HongCoin’s multisig wallet.

An admin function restricted to HongCoin’s multisig wallet lacked integer-overflow protections, creating a condition that could be manipulated by a specific input. Calling that admin function with the specific input reset a holder’s recorded token balance to one, which satisfied the contract’s refund-check logic. Restoring access to the trapped funds required the HongCoin multisig to sign 41 transactions to execute the recovery steps. In parallel, seven other holders were able to successfully trigger refunds directly on-chain without multisig intervention.

By May 24, a total of 19.329 ETH, approximately valued at $40,590, had been successfully returned to the original owners. This included 5.141 ETH from the 2018 ICO initiative and an additional 14.190 ETH reclaimed from seven expired atomic swaps within the Liquality Wallet. Notably, the Liquality Wallet ceased operations in 2024, adding complexity to the recovery process. Additionally, two of the investors had managed to claim 96.5 ETH collectively, which amounts to roughly $193,000. These developments reflect significant milestones in the ongoing effort to return funds to eligible investors despite prior setbacks in the refund mechanism.

The HongCoin recovery reported here is the second recovery publicized by the whitehat developer 0xflorent within an eight-day span. April decentralized finance (DeFi) exploits drained hundreds of millions of dollars, including an incident that resulted in about $293 million lost from Kelp DAO. A Sui Foundation post-mortem attributed outages to an interaction between the v1.72 address-balance feature and gas/consensus logic. These items were included in related reporting of recent developments in DeFi security and network reliability. The items were reported within the same coverage set.

0xflorent’s whitehat action unlocked 1,003.62 ETH, approximately $2 million, that had remained trapped in the 2016 HongCoin ICO contract for nine years. The recovery made funds available for 48 original investors to claim and has already enabled several returns to owners. The event restored long-trapped investor funds to an eligible set of original backers.