A security researcher named 0xflorent worked with the team behind Ethereum in 2016 ($ETH) ICO deal unlocks nearly $2 million in Ether that was locked away for nine years in a coordinated white-hat recovery that exploited an integer overflow flaw that was not patched by the original developer.
This contract belongs to HongCoin, which was supposed to automatically refund Ethereum to investors after failing to meet its fundraising goal during a token sale in 2016, but a bug in the refund function prevented the refund from occurring.
Path 0xflorent unfrozen 1,003.62 $ETH48 original investors are currently eligible to claim. Two people did this and got a total of 96.5. $ETH It’s worth about $193,000, he said on Sunday’s X Thread.
First White Hat Exploit on Ethereum: 1,003.62 unlocked
Ξ ($2,000,000) Trapped in an ICO Smart Contract in 2016
9 years.The original 48 investors can now claim their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) May 31, 2026
The contract’s refund logic meant that holders whose token balance exceeded a global counter of 356 after years of partial refunds were rejected, with a cap on further refunds of 3.56. $ETH.
0xflorent discovered that HongCoin’s multisig wallet-limited on-contract management functionality lacked integer overflow protection that was later incorporated into the Solidity programming language. When called with specific input values, the holder’s balance will be reset to 1, the refund check will pass, and the funds will be released.
However, this recovery was not a one-sided exploitation. Since HongCoin multisig was required to perform administrative functions, 0xflorent sent an email to the team to verify the unlock sequence on a test fork of Ethereum’s mainnet, and the team itself signed the unlock transaction.
We signed 41 transactions, one for each blocked owner, and released approximately 1,000 transactions. $ETH It was really stuck. Another seven holders had balances small enough to be refunded directly without any workarounds.
This is the second time in the past eight days that 0xflorent has announced such a recovery.
On May 24, he said he returned $19.329. $ETHworth approximately $40,590 to the original owner, including $5,141 $ETH From the failed January 2018 ICO and 14.190 $ETH It arose from seven expired atomic swaps within Liquality wallet user accounts that became inaccessible after the wallet closure in 2024.
This recovery has landed during a time of massive DeFi exploits, with hundreds of millions of dollars leaked across protocols in April alone, led by a roughly $293 million hit to the Kelp DAO.
