A whitehat developer recovered 1,003 ETH (roughly $2 million) that had been locked in a 2016 HongCoin ICO smart contract for nine years, while lending protocol Aave announced a full risk-management overhaul following April’s $230 million rsETH exploit. The two events underscore a renewed focus on security and systemic vulnerability in decentralized finance.
Rescuing the HongCoin Funds
In an X thread on Sunday, security researcher Florent detailed how he helped unlock ETH trapped since 2016 in “The HONG” token sale. The contract’s refund function failed because a global counter had dropped to 356, capping total refunds at 3.56 ETH, while most holders held far more. Using an oversight in the old Solidity code that lacked overflow protection, Florent discovered that a team-only admin function could reset a holder’s balance to 1, allowing the refund to process. The exploit was not unilateral—Florent contacted the HongCoin multisig team, validated the approach on a Foundry fork, and the team signed 41 transactions to free the stuck funds. So far, two investors have reclaimed 96.5 ETH (~$193,000) and voluntarily sent a whitehat reward. Florent said no fees were taken and the motivation was curiosity. He recently built a scanner node to flag high‑ETH contracts and had previously freed 19.329 ETH from other stranded contracts.
Aave Responds to $230M Bridge Exploit
Separately, Aave published a postmortem on the largest DeFi attack of 2026, which drained $230 million from its V3 markets in April. The breach did not originate in Aave’s code but in a KelpDAO rsETH bridge secured by LayerZero: a single verifier approved a forged cross‑chain message that minted 116,500 unbacked rsETH tokens. The attacker then deposited the fake rsETH into Aave and borrowed funds against them. Aave’s risk managers have since executed roughly 295 parameter changes, including 168 supply‑cap and 66 borrow‑cap reductions. As a result, the protocol is now rewriting its listing standards to evaluate bridge infrastructure, oracle dependencies, custodians, and operational security—not just smart contract risks. It also plans automated defenses that can reduce an asset’s loan‑to‑value ratio to zero if predefined risk thresholds are breached.
Together, the stories highlight the dual nature of DeFi: persistent vulnerabilities and the growing counter‑movement of security researchers and protocol guardians aiming to protect user funds.
