Researcher Cracks 9-Year-Old Bug, Frees $2M in Ethereum Locked Since 2016 ICO
A security researcher known as 0xflorent recovered roughly 1,003.62 ETH, worth approximately $2 million, that had been trapped inside a failed 2016 Ethereum ICO smart contract for nearly nine years.
Key Takeaways
- Security researcher 0xflorent freed 1,003.62 ETH from a 2016 Hongcoin ICO contract locked by a bug for nearly 9 years.
- The whitehat exploit used an integer overflow in a multisig admin function, requiring 41 signed transactions to unblock 48 investors.
- Two investors have already claimed 96.5 ETH, with roughly 882 ETH still available as of June 1, 2026.
A 2016 ICO That Never Paid Back
The funds originated from Hongcoin, also referred to as “The HONG,” a 2016 Ethereum-based project pitched as a community-run decentralized investment fund. The ICO failed to hit its funding target, which should have triggered an automatic refund to contributors.
It did not work that way.
A bug in the refund logic blocked most investors from claiming their ETH. The contract compared each investor’s token balance against a global counter. Partial refunds over the years had reduced that counter to 356, capping any further refunds at just 3.56 ETH per holder. Most of the 48 remaining investors held far more than that. Their funds stayed locked.
The contract address, 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, remains verifiable on Etherscan.
The Exploit That Fixed It
0xflorent identified an integer-overflow vulnerability in an admin-only function tied to the Hongcoin team’s multisig wallet. The function was originally designed to mint bounty tokens but lacked overflow protections, a common weakness in pre-SafeMath Solidity code from 2016.
By passing a specific input value, the function could reset an investor’s token balance to 1, bypassing the refund check and allowing the contract to release the corresponding ETH.
Florent described it as the “first white-hat exploit on Ethereum,” noting that no outside attacker had any incentive to use it. The funds could only flow back to the original contributors. There was no ownership takeover and no theft vector.
How the Recovery Unfolded
Florent reached out privately to the dormant Hongcoin team by email. He validated the full unlock sequence on a local Foundry fork of Ethereum mainnet before touching anything on-chain. The team’s multisig then signed 41 transactions, one for each blocked holder requiring a balance reset. Seven holders with smaller balances could claim refunds directly without the workaround.
The entire process took about one week.
As of June 1, 2026, all 1,003.62 ETH had been unfrozen. Two investors have already claimed a combined 96.5 ETH, worth roughly $193,000. They sent Florent a voluntary bounty. He took no fees, no cut, and no commission.
Roughly 882 ETH remains available for the other investors to claim.
A Pattern of Whitehat Work
This was Florent’s second publicized recovery in eight days. On May 24, he returned 19.329 ETH, about $40,590, from a 2018 ICO contract and expired atomic swaps tied to a now-defunct wallet.
Florent uses custom scanning tools, including a self-hosted node, to locate contracts holding more than 100 ETH. He noted that many old contracts are forks of one another, meaning vulnerabilities often cluster. He also mentioned using Claude Code to accelerate analysis, but cautioned that the tool can be overly pessimistic about contracts it flags as uncrackable.
What This Means for Early Ethereum Holders
Hundreds of Ethereum smart contracts from the 2016 and 2017 ICO boom era still hold locked funds. Most contributors wrote those balances off years ago.
Florent’s work is a reminder that some of those contracts still have a door, and someone with the right tools might find the key.
Tags in this story
About the Author
