1
News

2016 HongCoin ICO Unlocks 1,003.62 ETH — A Contract-Archaeology Rescue

Posted on by Josh Taylor

The quirky rescue: how 1,003.62 ETH got freed

Here’s a blockchain story that sounds like Indiana Jones met a Solidity compiler. A white-hat researcher known as 0xFlorent managed to recover 1,003.62 ETH from a failed 2016 HongCoin ICO — funds that had been effectively stuck for nine years. At the snapshot price on June 1, that stash was worth roughly $2 million. Not bad for a digital excavation.

The short version: HongCoin’s refund logic was broken by accident, and an ancient admin function — still callable by the original multisig — provided an unlikely workaround. That meant this wasn’t a smash-and-grab exploit so much as careful contract archaeology plus some cooperative signatures.

Back in 2016 HongCoin ran a token sale that didn’t hit its goal, and contributors should have been able to get refunds via a contract function called refundMyIcoInvestment(). The bug was an accounting mismatch: the function compared a caller’s token balance to a global counter called tokensCreated, and over time earlier refunds reduced that counter. Big holders still showed balances, but those balances could be larger than the diminished tokensCreated value — which caused the refund check to fail and blocked the very people owed money.

The escape hatch lived in a separate, multisig-only admin function mgmtIssueBountyToken(). Because Solidity versions before 0.8.0 silently wrapped integers on overflow, the admin function’s arithmetic could be used to nudge balances into a shape that allowed the refund check to pass. In other words, one relic bug (integer wrap) helped undo the practical harm of another relic bug (the refund comparator).

Crucially, the admin route required the original HongCoin management keys — the multisig had to sign. That ethical and operational boundary means the recovery depended on coordination: the researcher found the route, and the old control path executed the necessary calls. The effort included 41 signed transactions to unblock holders; seven smaller investors could refund without the workaround.

Why this is archaeology, not a how-to

HongCoin’s story is neat, but it’s also unusually specific. You need several rare ingredients for a responsible recovery: identifiable buggy logic, an admin function still callable by a living keyset, clear on-chain evidence of who’s owed what, and a white-hat willing to coordinate with the old signers. When all those pieces line up, trapped funds can sometimes be freed. When they don’t, poking around can just reveal a new vulnerability to bad actors.

That’s why this feels more like digging up a forgotten safe than publishing a template for opportunists. The multisig requirement is the ethical fence: outsiders discovered the path, but they didn’t usurp control — original signers executed the fix. That cooperation is what separates a rescue from an exploit.

For context, Ethereum’s long memory means many early mistakes remain on-chain. High-profile incidents in the past stranded huge sums and sparked heated recovery debates. This HongCoin case is tiny compared to those headline events, but it highlights the same idea: code and state are permanent, and sometimes the past finds a way to help the future.

Takeaway? If you’re a developer, test your refund logic and avoid fragile global counters. If you’re an investor, remember that “immutable” also means “forever remembered” — for both the bugs and the accidental fixes. And if you’re a blockchain archaeologist, bring snacks, patience, and a multisig that still answers its messages.