A security researcher operating under the handle 0xFlorent_ discovered an integer-overflow vulnerability in the HongCoin ICO smart contract, a bug that had been quietly trapping 1,003.62 ETH, worth roughly $2 million at current prices, since the original token sale failed to hit its funding goal. With the HongCoin team’s cooperation, the flaw was patched and investors can now reclaim contributions they likely wrote off years ago.
How a decade-old bug kept $2M hostage
The HongCoin ICO launched in August 2016, collecting ETH from 48 participants. When the raise didn’t meet its target, the contract was designed to automatically refund contributors. An integer-overflow bug — a type of flaw where a number exceeds the maximum value a variable can store, causing it to wrap around to zero or some unintended value — broke the refund mechanism entirely. The ETH sat at contract address 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, visible on-chain but completely inaccessible, for nine years.
The rescue operation
Rather than exploiting the vulnerability directly, 0xFlorent_ validated the exploit in a local testing environment first, then privately shared the full recovery methodology with the HongCoin team.
