Skip to content
Blockchain Posts

on-chain

Whitehat unlocks 1,003 ETH stuck in 2016 HongCoin ICO contract

Researcher 0xFlorent_ found an integer-overflow path in the HongCoin admin function and unlocked 1,003.62 ETH (~$2M) trapped in the 2016 ICO refund contract for nine years.

by 5 min read
on-chainethereumhongcoinicowhitehat

A security researcher who posts as 0xFlorent_ has unlocked 1,003.62 ETH — roughly $2M at the June 1 close — from the 2016 HongCoin ICO contract at 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, restoring refunds to the original 48 token buyers nine years after a broken refund function left their ether stranded. The researcher disclosed the path privately to HongCoin's multisig holders rather than sweeping the funds himself, and the team itself signed the 41 unlock transactions that paid each blocked address its share. CoinDesk's writeup is in Whitehat developer unlocks $2 million stuck in a 2016 Ethereum ICO contract for nine years; Decrypt confirmed the recovery in Whitehat Helps Recover $2M in ETH Stuck Since 2016 ICO.

What happened

HongCoin's August 2016 sale fell short of its funding target. The contract was supposed to auto-refund every participant, but a bug in the refund accounting blocked the path. Across the years that followed, a handful of partial refunds dragged a global counter inside the contract down to a low number; the refund function then rejected any holder whose remaining balance exceeded that counter. Effectively the contract capped further withdrawals at the residual counter value (reported as 3.56 ETH per holder), well below what most of the 48 contributors were owed. The ether sat in plain sight on Ethereum, visible at the contract address, and untouchable.

0xFlorent_ identified an admin function in the same contract that lacked integer-overflow protections. Called with the right input, it wrapped the storage variable used to gate the refund check, resetting a holder's accounted balance to zero and re-opening the refund path. The researcher validated the sequence on a local Ethereum fork, emailed HongCoin's multisig signers, and shared the full recovery script. Between May 26 and May 30, 2026, the HongCoin multisig executed 41 on-chain transactions — one per eligible holder — re-opening the refund queue. CryptoBriefing's reconstruction is in HongCoin investors recover $2M in locked ETH after nine years.

The mechanism — integer overflow as a key, not a weapon

The disclosure is unusual in two ways. First, the same primitive — an unchecked admin function with no SafeMath-equivalent guard — is what would have let a malicious actor drain the contract years ago, had anyone found it. Second, the exploit was used as a constructive unlock rather than a sweep: the admin function flips a balance accounting flag, but only the multisig can sign the resulting refund transaction. The bug is in the gating logic; the refund payouts still require the original signers. That alignment is what made a whitehat path possible.

The contract is unverified on Etherscan and predates the post-DAO migration to OpenZeppelin's SafeMath patterns. Integer-overflow protections at the language level shipped with Solidity 0.8 in late 2020; HongCoin's contract was deployed years earlier and never upgraded.

Numbers

- Contract:             0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9 (HongCoin)
- Locked since:         August 2016 (failed ICO refund path)
- Eligible holders:     48
- ETH unlocked:         1,003.62 ETH (~$2.00M at June 1 close)
- Recovery window:      May 26–30, 2026 (41 multisig transactions)
- Claimed to date:      96.5 ETH (~$193K) across 2 holders
- Residual claimable:   ~907 ETH across 46 holders
- Researcher:           0xFlorent_ (private disclosure to HongCoin)
- Vulnerability class:  integer overflow in admin function (no SafeMath, pre-Solidity 0.8)

Impact

  • No fresh on-chain risk. The unlock path is gated to HongCoin's multisig; the contract is not now generally drainable by third parties.
  • Eligible holders should check. Anyone who participated in the August 2016 sale should look up their 2016-era Ethereum address against the contract's transaction history. The refund function will pay the address that originally bought tokens — wallets long-since rotated or lost will need careful key recovery first.
  • No exchange involvement. No bridge, no mixer, no centralized custodian. The whole flow runs as direct multisig-signed refunds.

What to watch

  1. Disclosure norms for legacy contracts. Most 2015–2017 contracts that still hold value cannot be upgraded. A whitehat path that requires the original team's signers is a workable model — but only when the multisig is still reachable and willing. HongCoin had both. Many failed ICOs do not.
  2. Other dormant ICO contracts. The same class of integer-overflow gates exists across pre-0.8 deployments. A small audit cottage industry has formed around dormant contracts; expect more carefully-disclosed unlocks rather than sweeps, given the soft regulatory environment for "found-funds" recovery.
  3. Tax and KYC treatment of the refunds. For the 48 recipients, this is effectively a delayed return of capital nearly a decade after the original ETH transfer. Cost basis was 2016 (ETH around $10–$20); 2026 fair-market value is materially higher. Each jurisdiction will treat the gap differently.

Context — the long tail of pre-SafeMath Solidity

Integer-overflow bugs in Solidity contracts written before 2018 are the same primitive that funded the BeautyChain (BEC) sweep in April 2018 and the Poly Network exploit class. The HongCoin case is the inverse: a contract that should have refunded but didn't, fixed by the same bug class that has destroyed other contracts. The pattern recurs because the language did not enforce overflow checks until Solidity 0.8.0 in December 2020, leaving years of deployed bytecode permanently in scope for this class of finding.

For ICO-era investors with stranded funds, the takeaway is operational: check old addresses, confirm the contract is still live, and watch for disclosed recovery paths from named researchers. Sweep-style "white-hat" recoveries — funds taken first and offered back later — remain legally and reputationally fraught. The HongCoin route, disclosure into a still-functioning multisig, is the cleaner model.

Sources:

  • CoinDesk — Whitehat developer unlocks $2 million stuck in a 2016 Ethereum ICO contract for nine years (June 1, 2026)
  • Decrypt — Whitehat Helps Recover $2M in ETH Stuck Since 2016 ICO (June 1, 2026)
  • Crypto Briefing — HongCoin investors recover $2M in locked ETH after nine years (June 1, 2026)
  • Etherscan contract page for 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9

Related stories