Security researcher 0xflorent returned 1,003.62 ETH to investors after the funds had remained inaccessible for nine years in the smart contract of a failed 2016 ICO. The funds, worth around $2 million at current prices, had been locked all this time because of a bug in the contract’s refund function.
Contract bug fixed after 9 years
The contract belonged to HongCoin, also known as “The HONG,” a project launched in 2016 as a community-based investment fund. When the project failed to reach its funding target, investors were supposed to receive automatic refunds. That never happened.
The root of the problem was in code written with an old version of Solidity. The contract’s refund function was designed in a way that rejected any investor whose token balance was higher than a global counter. Partial refunds over the years pushed this counter down to 356; in practice, the refund limit was trapped at 3.56 ETH, around $7,000. Most of the investors waiting for refunds had balances far above that threshold.
0xflorent found the solution in an administrator function within the contract. This function, originally written for token distribution, contained an integer overflow vulnerability that later Solidity versions closed through SafeMath. When called with a specific input value, it reset an investor’s balance to 1, allowing the refund check to be passed and the funds to be released.
Still, this was not something that could be carried out unilaterally. The relevant administrator function was restricted to HongCoin’s multisignature wallet. 0xflorent first contacted the team, verified the steps on a mainnet fork using Foundry, and the transactions were signed by the team members themselves. Around one week passed between the first email and the final transaction.
In total, the team signed 41 transactions, each corresponding to a separate investor. Seven investors with sufficiently small balances received their refunds directly without needing this procedure. As a result of the recovery, 48 original investors became able to claim their funds. As of Sunday, two of them had done so, claiming a total of 96.5 ETH, or roughly $193,000. These two investors voluntarily sent 0xflorent a “whitehat bounty,” though there was no obligation to do so. The researcher says he took no commission or cut, and that curiosity was the only thing behind the work.
This is the second successful recovery 0xflorent has publicly shared in the past eight days. On May 24, he said he had recovered 19.329 ETH from two old contracts: 5.141 ETH from a failed 2018 ICO where the funds were waiting behind an uncalled refund function, and 14.190 ETH from seven expired atomic swaps belonging to Liquality Wallet, which shut down in 2024.
0xflorent does not make much of a mystery out of his methodology. He set up a self-hosted Ethereum node, built a scanner that flags every contract holding more than 100 ETH, and then reviewed the candidates one by one. “Many contracts are forks of others, so a vulnerability in one can affect every contract in the same cluster,” he says, adding that the well-known major clusters have already been scanned to a large extent.
He also used Claude Code in his work, though with one caveat: “Artificial intelligence is influenced by the fact that the contract has not been broken before. So it often concludes, ‘It cannot be broken, I tried everything,’ which is usually wrong.”
The recovery comes at a time when the DeFi ecosystem has been shaken by a serious wave of exploits. In April alone, hundreds of millions of dollars were stolen from various protocols, with the largest attack causing around $293 million in damage to Kelp DAO. One of the co-founders of security firm OpenZeppelin also recently declared “all of DeFi” unsafe.
“I want to see a counter-movement of people trying to protect systems instead of exploiting them,” 0xflorent says. “It is more satisfying morally, and it can also provide a good financial return.”
