Whitehat developer unlocks $2 million stuck in a 2016 Ethereum ICO contract for nine years
0xflorent, a security researcher, found an integer-overflow flaw in the HongCoin token sale contract that lets the team unlock funds for 48 original investors. It is the second such recovery he has publicized in eight days.
By Shaurya Malwa Jun 1, 2026, 6:52 a.m. 2 min readMake preferred on
What to know:
- A security researcher known as 0xflorent helped the team behind a failed 2016 HongCoin ICO unlock about 1,003.62 ETH, or roughly $2 million, that had been trapped in its smart contract for nine years.
- By coordinating with HongCoin’s multisig wallet holders, he used an unpatched integer-overflow flaw in an admin function to reset token balances and bypass a broken refund cap that had blocked larger withdrawals.
- The recovery, which makes 48 original investors eligible to reclaim funds and follows another recent rescue by 0xflorent, comes amid a wave of major DeFi exploits that have drained hundreds of millions of dollars from crypto protocols.
A security researcher who goes by 0xflorent worked with the team behind a 2016 Ethereum (ETH) ICO contract to unlock about $2 million in ether that had sat trapped for nine years, in a coordinated whitehat recovery that exploited an integer-overflow flaw the original developers had never patched.
The contract belongs to HongCoin, a 2016 token sale that fell short of its funding goal and was supposed to auto-refund investors' ether but failed to do so because of a bug in the refund function.
0xflorent's path unfroze 1,003.62 ETH, with 48 original investors now eligible to claim. Two have done so, retrieving a combined 96.5 ETH worth roughly $193,000, he said in an X thread Sunday.
First white-hat exploit on Ethereum: I unlocked 1,003.62
— 0xflorent.eth (@0xFlorent_) May 31, 2026
Ξ ($2,000,000) trapped in a 2016 ICO smart contract
for 9 years.
The 48 original investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
The contract's refund logic rejected any holder whose token balance exceeded a global counter that years of partial refunds had dragged down to 356, capping further refunds at 3.56 ETH.
0xflorent found that an admin function on the contract, restricted to HongCoin's multisig wallet, lacked the integer-overflow protections later built into the Solidity programming language. Calling it with a specific input value reset a holder's balance to one, allowing the refund check to pass and releasing the funds.
The recovery was not a unilateral exploit, however. Because the admin function required HongCoin's multisig to execute, 0xflorent emailed the team, validated the unlock sequence on a test fork of Ethereum's mainnet, and the team itself signed the unlock transactions.
It signed 41 transactions, one per blocked holder, freeing the roughly 1,000 ETH that was truly stuck. Another seven holders held small enough balances to refund directly without the workaround.
It is the second such recovery 0xflorent has publicized in eight days.
On May 24, he said he had returned 19.329 ETH, worth about $40,590, to its original owners, including 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from seven expired atomic swaps in a Liquality Wallet user account that had become inaccessible after the wallet shut down in 2024.
The recovery lands during a heavy stretch of DeFi exploits, with April alone seeing hundreds of millions of dollars drained across protocols, headlined by a roughly $293 million hit on Kelp DAO.
More For You
Three Sui mainnet halts in 48 hours traced to an upgrade bug by developers
By Shaurya Malwa|Edited by Sam Reynolds2 hours ago
The Sui Foundation's post-mortem published Sunday traces all three outages to interactions between a new address-balance feature shipped in the v1.72 release and the network's existing gas and consensus logic.
What to know:
- Sui’s mainnet halted three times on May 28 and 29 after a new v1.72 feature exposed an edge case in the blockchain’s gas-charging logic, according to a post-mortem from the Sui Foundation.
- The first two outages stemmed from related bugs in how mixed gas payments were handled when transactions lacked...
Citi predicts the tokenized securities market will grow to $5.5 trillion by 2030
1 hour ago
XRP drops to $1.32 as sellers overpower exchange outflows
2 hours ago
Three Sui mainnet halts in 48 hours traced to an upgrade bug by developers
2 hours ago
Bitcoin extends slide as spot ETF outflows hit a record while Wall Street rips on AI
2 hours ago
Aave overhauls listing standards after $230 Million rsETH exploit exposed bridge risks
2 hours ago
Coinbase makes a major play for India’s booming $3 billion crypto market with local currency launch
8 hours agoTop Stories
A massive $1.26 billion sale of BlackRock’s IBIT was likely a rapid exit by a large investor
12 hours ago
How the House Financial Services Committee is taking on tokenization: State of Crypto
13 hours ago
How Stellar became part of DTCC's tokenization push for Wall Street securities onchain
15 hours ago
SEC sues Texas man over $12.3 million alleged crypto scheme built on fake AI trading bots
May 30, 2026
Bitcoin's wild days are over — and Trace Mayer says that's a good thing
19 hours ago
