A security researcher, working with the HongCoin team, unlocked 1003.62 ETH, worth approximately $2 million at current prices, that had been trapped in a 2016 Ethereum token issuance contract for nearly nine years. Following the release of the funds, 48 original investors can now apply to reclaim their respective Ether.

Refund function has been inactive for a long time

HongCoin was a token sale project in 2016. Because the fundraising target was not met, the contract was supposed to automatically return ETH to investors, but a flaw in the refund function prevented large holders from withdrawing their funds for an extended period.

The problem lies in the refund decision logic. The contract compares the amount of tokens held with a global counter, which has been suppressed to 356 after years of sporadic refunds. As a result, addresses with higher balances fail the check, effectively limiting the refundable amount per transaction to around 3.56 ETH.

Funds were released by exploiting an old vulnerability.

Security researcher 0xflorent stated that he discovered an administrator function in the contract that lacked the integer overflow protection later adopted by the Solidity language. By simply inputting a specific value, it was possible to reset the token balance of a designated address to 1, thereby bypassing refund restrictions and releasing previously stuck funds.

This operation was not a one-sided exploitation of the vulnerability. Since the relevant function can only be executed by HongCoin's multisignature wallet, 0xflorent first contacted the project team and verified the unlocking process in the Ethereum mainnet fork test environment. Ultimately, the team signed the transaction themselves.

Approximately 1000 ETH were unlocked through 41 transactions.

According to 0xflorent, the team signed 41 transactions, corresponding to 41 holders who were originally ineligible for refunds, releasing a total of approximately 1,000 ETH. Another 7 holders, with smaller balances, were able to receive refunds directly without going through this process.

He also stated that two investors have already withdrawn their funds, totaling 96.5 ETH, equivalent to approximately $193,000.

• Total unlocked amount: 1003.62 ETH
• Number of people eligible for a refund: 48
• Refunds completed: 2 people, totaling 96.5 ETH.

The second public rescue in 8 days

This is the second similar funding rescue case publicly disclosed by 0xflorent in eight days. On May 24, he stated that he had returned 19.329 ETH to the original holders, including 5.141 ETH from a failed token offering in 2018, and 14.190 ETH from seven atomic swaps that became inaccessible after Liquality Wallet closed in 2024.

This incident comes at a time when DeFi protocol security issues continue to surface. CoinDesk noted that multiple protocols were attacked in April alone, resulting in cumulative losses of hundreds of millions of dollars, with Kelp DAO alone incurring losses of approximately $293 million.