A security researcher has pulled off a recovery that was almost a decade in the making. On Monday, 0xflorent announced they had retrieved 1,003.62 ETH — roughly $2 million at current prices — from a smart contract that locked up investor funds since a failed 2016 initial coin offering. The money came from Hongcoin, an Ethereum-based project also known as 'The HONG' that launched an ICO back in 2016. A critical bug in the contract meant nobody could withdraw what they put in. That bug sat untouched for nearly nine years.
The nine-year lockup
Hongcoin's ICO raised funds from participants who sent ETH to a smart contract designed to return tokens later. But the contract contained a critical vulnerability: it never allowed withdrawals. The funds simply sat there, unreachable. 0xflorent, a security researcher who goes by that handle, figured out how to exploit the same flaw — this time to get the money out. The recovery took over a week, they said in a technical writeup, involving reverse-engineering the contract and crafting a series of transactions that essentially forced the contract to release the ETH.
What the researcher did
The specifics involve a reentrancy-style attack, though 0xflorent didn't call it that. They used a separate smart contract to call the Hongcoin contract in a way that bypassed the original withdrawal restriction. The key was that the Hongcoin contract had a function meant for the project team to withdraw funds in an emergency — but that function had a bug that allowed anyone to call it if they met certain conditions. 0xflorent met those conditions by sending a small amount of ETH first, then calling the function repeatedly before the contract could update its internal state. The result: the locked ETH trickled out over several blocks.
Unanswered questions
What happens to the recovered money? 0xflorent hasn't said publicly whether they plan to return it to original investors or keep it as a bounty. The Hongcoin project is long dead; its website is offline, and its Telegram channel went silent years ago. The funds technically belong to the contract, but the contract's intended beneficiaries are the ICO participants — none of whom could ever claim their share. 0xflorent told the crypto security community they'd “figure out the right thing” in the coming weeks. That answer will matter more than the hack itself.
