White-Hat Researcher Recovers 1,003.62 ETH Locked for 9 Years

An Ethereum [ETH]-based initial coin offering (ICO) called HongCoin, introduced in 2016, recently made headlines after 1,003.62 ETH was recovered.

This was made possible with the assistance of Florent, a white-hat security researcher. This was equivalent to $2 million, which had been locked for nine years.

For context, investors were expected to receive automatic refunds of their contributions because the project had initially fallen short of its fundraising goal.

Unfortunately, these repayments could not be made due to a defect in the contract’s refund mechanism, which essentially locked the money indefinitely. During his investigation of the dormant contract, Florent found an integer overflow vulnerability in an administrator function.

This vulnerability is typical of early Ethereum smart contracts and allows numerical values to wrap around when they surpass their upper limit.

The researcher was able to avoid the flawed refund condition, reset a holder’s balance, and regain access to the refund process without stealing or misappropriating any money by carefully crafting a specific input.

Following a successful recovery method test, the researcher shared the process with the HongCoin team, who subsequently carried out 41 on-chain transactions to unlock the trapped Ethereum.

As a result, 48 original investors can now reclaim their funds, marking a rare example of a vulnerability being used for a beneficial purpose. However, this is not his first recovery of this kind. Florent previously had released 19.329 ETH, or roughly $40,590, from two previous contracts on 24 May.

The first involved a failed ICO in January 2018 that involved 5.141 ETH and an unnamed public refund function.

The second involved a Liquality Wallet user who claimed to have refunded 14.190 ETH from seven expired atomic swaps on the user’s behalf after Liquality shut down its app in 2024.

At the time of writing, ETH was trading at $1,982.30, down 1.85% over the previous day and more than 13% over the previous month.

On the contrary, Ethereum’s Spot Taker CVD (Cumulative Volume Delta) has been primarily fluctuating between aggressive buying and selling streaks in 2026, indicating a fiercely competitive market.

The press time data suggested that although buyers may still be in control, the strength of buying fell in comparison to previous peaks.

This, after AMBCrypto recently revealed an exploit that used a well-known ERC4626 vulnerability class to drain about $152,000 from several lending markets.

• White-hat security researcher Florent spearheaded the recovery after identifying an integer overflow vulnerability in the administrator function of the contract.
• 48 initial investors can now finally receive their money back as a result of this recovery.