HongCoin: Locked ETH unlocked after 9-year ICO integer overflow
HongCoin investors can now recover locked ETH after a 2016 ICO refund mechanism failed due to an integer-overflow bug.
A white-hat researcher using the handle 0xFlorent_ found the vulnerability in the HongCoin ICO smart contract. The flaw trapped 1,003.62 ETH (about $2M at current prices) at contract address 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9 for nine years, leaving 48 investors unable to claim refunds.
Instead of exploiting it publicly, 0xFlorent_ validated the approach in a local testing environment and worked with the HongCoin team to patch the contract’s refund processing. Between May 26 and May 30, the team executed 41 on-chain transactions to restore the original contract’s refund logic—without deploying new smart contracts or using intermediaries. By May 31, when the recovery method was publicly disclosed, about 907 ETH still remained in the contract, implying roughly 96 ETH had already been withdrawn.
This case highlights the risk of legacy smart contracts. The contract predates Solidity’s built-in overflow protection (added in Solidity 0.8.0 in 2020) and did not use safer arithmetic tooling such as OpenZeppelin SafeMath. The research disclosure drew broad positive attention in the community, though no public bug-bounty statement was reported by the HongCoin team.
For traders, the direct market impact is limited, but the event reinforces ongoing attention on Ethereum smart-contract security and could revive demand for “legacy contract” monitoring. Investors should check whether their wallet addresses are eligible for the HongCoin locked ETH refunds.
Neutral
The news is primarily a one-off investor recovery tied to Ethereum smart-contract security, not a protocol-level change. The recovered locked ETH (~$2M) is meaningful for the 48 participants, but small relative to overall Ethereum liquidity, so it is unlikely to drive broad market re-pricing.
Short-term, some related wallets may process claims and create modest sell pressure, especially if recipients treat refunds as “back to capital” events. However, the reporting suggests a remaining balance (907 ETH) and staggered withdrawals, which can spread any selling over time.
Long-term, this reinforces a recurring theme seen in past remediation cases: security researchers and project teams coordinating to repair legacy contracts can unlock previously stranded funds. That can improve sentiment toward auditing/monitoring and revive attention to older ICO-era contracts, typically having a mild positive effect on sector confidence rather than immediate bullish impact on price.
Overall, traders should treat this as a security-and-claim mechanics story rather than a market catalyst: monitor ETH-related flows around the affected contract, but expect limited impact on major benchmarks.