Failed Ethereum ICO from 2016 just unlocked 1,003 ETH by exploiting itself
A white-hat researcher, 0xFlorent, helped recover 1,003.62 ETH from HongCoin, a failed 2016 ICO whose refund funds were trapped for nine years. At roughly $1,983 per ETH, the recovery was worth about $1.99 million. The contract’s refund function was broken by faulty accounting: as some refunds reduced the global `tokensCreated` counter, larger holders could no longer pass the refund check. The workaround used a separate admin function, `mgmtIssueBountyToken()`, which could alter balances, but only through HongCoin’s original multisig control path. By coordinating with that old permission structure and using pre-0.8 Solidity overflow behavior, balances were adjusted low enough for refunds to succeed. In total, 41 signed transactions were needed for blocked holders, while seven smaller holders could refund normally. The case shows that dormant Ethereum contracts can still contain live escape hatches if old permissions remain accessible.
