#What happened with the HongCoin ICO?
The HongCoin initial coin offering started in August 2016 and attracted contributions in ETH from 48 participants. However, when the fundraising target was not reached, the smart contract was meant to initiate refunds to contributors. Unfortunately, an integer-overflow vulnerability prevented this mechanism from functioning correctly. This type of flaw occurs when a numerical value exceeds the limit that a variable can store, causing it to cycle back to zero or another unintended value. For nearly nine years, approximately 1,003.62 ETH, valued at around $2 million, became immobile at contract address 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9.
#How was the vulnerability resolved?
In a remarkable turn of events, the security researcher known as 0xFlorent_ discovered the integer-overflow bug but opted for a responsible approach rather than exploiting it. He first confirmed the vulnerability in a controlled environment and then worked with the HongCoin team to develop a solution. From May 26 to May 30, the team executed a total of 41 transactions on-chain, restoring the contract's functionality for processing refunds without deploying new contracts or involving intermediaries. This enabled investors to access their original funds directly through the existing contract.
As of May 31, around 907 ETH remained accessible from the total of 1,003.62 ETH, which indicates that many original investors had begun to claim their funds soon after the fix.
#What does this mean for the future of legacy smart contracts?
The HongCoin incident illustrates the risks associated with legacy contracts written before more robust programming protections were established. Prior to Solidity version 0.8.0, which incorporated built-in safeguards against integer-overflow issues, many contracts—including HongCoin's—were exposed to similar flaws. This case has prompted discussions in the crypto community about the need for legacy contracts to be reviewed and potentially updated to safeguard investors' interests.
The response to this successful resolution on social media demonstrates a positive outlook from the crypto community, highlighting the collaborative effort between the researcher and the HongCoin team. However, it is notable that the HongCoin team has yet to announce any bug bounty for the researcher, despite the high value of the recovered funds.
#What should investors do now?
For the remaining 48 original participants who contributed to the HongCoin ICO, your immediate course of action is to verify whether your wallet address is eligible for a refund. As there are still 907 ETH available in the contract, a considerable number of investors have not yet claimed their refunds. Every individual affected should ensure they explore the potential to recover their contributions as soon as possible, given the time elapsed and the size of the funds involved.