White-hat researcher 0xFlorent has recovered 1,003.62 ETH from the failed 2016 HongCoin Ethereum ICO — ether that had been locked in a smart contract for nine years. The recovered funds, worth roughly $1.99 million at an Ethereum price of $1,983 on June 1, were freed by exploiting an integer overflow bug that older Solidity compilers didn't catch.
The bug that trapped backers
HongCoin ran its ICO from August 29 to October 28, 2016. It was supposed to be a decentralized venture fund, but it never hit its funding goal. The refund function had a subtle flaw: the global 'tokensCreated' counter tracked the total supply, but for larger contributors that counter ended up lower than their individual token balances. That mismatch meant those holders couldn't claim their refunds — the contract simply rejected the transaction.
A nine-year-old overflow
The recovery relied on Solidity's behavior before version 0.8.0, which doesn't automatically detect arithmetic overflows. 0xFlorent used the multisig-restricted admin function 'mgmtIssueBountyToken' — a function that wraps values on overflow — to reset token balances and let blocked holders finally withdraw. The researcher coordinated with the original HongCoin multisig, signing 41 separate transactions to unlock refunds for larger backers and 7 direct refunds for smaller ones.
Confirmed on-chain
On May 29, an on-chain transaction confirmed a successful refund of 96 ETH from the HongCoin contract. The recovery means contributors who've been waiting since 2016 can now get their ether back. It's a clean resolution to a nine-year-old mess — and a reminder that bugs in pre-0.8.0 Solidity contracts are still out there, waiting to be exploited the right way.
