A white-hat researcher unlocked over $2M in ETH trapped in a 2016 HongCoin ICO good contract, returning funds to 48 buyers after 9 years.
A 2016 Ethereum ICO known as HongCoin by no means reached its funding purpose. The contract was purported to deal with that situation. It didn’t. The good contract had a damaged refund operate, and the cash simply sat there.
9 years and roughly $2 million later, a white-hat researcher going by 0xFlorent_ on X introduced what he described as the primary white-hat exploit on Ethereum. 1,003.62 ETH, value roughly two million {dollars} at present costs, had been sitting locked in that contract for the reason that ICO period. The 48 unique buyers couldn’t contact it.
9 Years, One Bug, $2M No one Might Contact
HongCoin was a fundraising challenge that ran in the course of the ICO wave of 2016. It by no means hit its funding purpose. The contract was designed to auto-refund contributors when that occurred. In accordance with 0xFlorent_ on X, a bug within the refund operate quietly broke the mechanism. The ETH sat there. No one moved it.
It wasn’t theft. It wasn’t a rug. It was a damaged door that seemed closed from either side. The buyers had no path to reclaim funds, and the HongCoin group had no apparent option to push them again out.
The contract deal with, 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, had been holding that ETH in plain view on-chain the whole time. Anybody may see the steadiness. No one had a working manner in.
41 Transactions Later, the Lock Lastly Broke
The best way out was an admin operate with an integer overflow vulnerability. Calling it with a particular enter worth resets a holder’s steadiness and bypasses the refund examine that had been blocking withdrawals. 0xFlorent_ posted the complete breakdown on X, saying he examined the strategy end-to-end earlier than sharing it with the HongCoin group.
The group then executed 41 unlock transactions on-chain earlier this week. On-chain proof is seen at this Etherscan deal with. The ETH steadiness within the contract reveals 1,003.624048369852000001 ETH, valued at simply over $2,091,775 on the time of writing.
Supply: 0xFlorent_ on X (Etherscan screenshot)
“Many due to the HongCoin group for trusting the strategy and executing the on-chain restoration,” 0xFlorent_ stated on X. The group, for his or her half, didn’t ask too many questions on the strategy.
What the HongCoin Contract Acquired Fallacious in 2016
Integer overflow bugs have been a standard drawback in early Ethereum contracts. Earlier than Solidity added built-in overflow checks, builders had so as to add them manually. Many didn’t. An admin operate that wasn’t meant because the exit level contained one among these weaknesses within the HongCoin contract. It changed into the one exit.
The broader image tells a unique story from most crypto exploits. This wasn’t a drain. 0xFlorent_ discovered the flaw, didn’t take the cash, and handed the trail to the group. Investigators not often recuperate dormant on-chain funds like this. The last decade-old ETH pockets exercise that surfaces in 2026 often attracts far much less cooperative outcomes.
The 48 buyers can now declare their ETH. What number of will nonetheless have entry to the unique pockets addresses from 9 years in the past is one other matter solely. On-chain knowledge confirms that the funds are unlocked.