A security researcher who goes by 0xflorent worked with the team behind a 2016 Ethereum (ETH) ICO contract to unlock about $2 million in ether that had sat trapped for nine years, in a coordinated whitehat recovery that exploited an integer-overflow flaw the original developers had never patched.
The contract belongs to HongCoin, a 2016 token sale that fell short of its funding goal and was supposed to auto-refund investors’ ether but failed to do so because of a bug in the refund function.
0xflorent’s path unfroze 1,003.62 ETH, with 48 original investors now eligible to claim. Two have done so, retrieving a combined 96.5 ETH worth roughly $193,000, he said in an X thread Sunday.
First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) May 31, 2026
The contract’s refund logic rejected any holder whose token balance exceeded a global counter that years of partial refunds had dragged down to 356, capping further refunds at 3.56 ETH.
0xflorent found that an admin function on the contract, restricted to HongCoin’s multisig wallet, lacked the integer-overflow protections later built into the Solidity programming language. Calling it with a specific input value reset a holder’s balance to one, allowing the refund check to pass and releasing the funds.
The recovery was not a unilateral exploit, however. Because the admin function required HongCoin’s multisig to execute, 0xflorent emailed the team, validated the unlock sequence on a test fork of Ethereum’s mainnet, and the team itself signed the unlock transactions.
It signed 41 transactions, one per blocked holder, freeing the roughly 1,000 ETH that was truly stuck. Another seven holders held small enough balances to refund directly without the workaround.
It is the second such recovery 0xflorent has publicized in eight days.
On May 24, he said he had returned 19.329 ETH, worth about $40,590, to its original owners, including 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from seven expired atomic swaps in a Liquality Wallet user account that had become inaccessible after the wallet shut down in 2024.
The recovery lands during a heavy stretch of DeFi exploits, with April alone seeing hundreds of millions of dollars drained across protocols, headlined by a roughly $293 million hit on Kelp DAO.
Be the first to comment