1 hour ago
A information researcher known arsenic 0xflorent recovered astir 1,003.62 ETH, worthy astir $2 million, that had been trapped wrong a failed 2016 Ethereum ICO smart contract for astir 9 years.
Key Takeaways
- Security researcher 0xflorent freed 1,003.62 ETH from a 2016 Hongcoin ICO declaration locked by a bug for astir 9 years.
- The whitehat exploit utilized an integer overflow successful a multisig admin function, requiring 41 signed transactions to unblock 48 investors.
- Two investors person already claimed 96.5 ETH, with astir 882 ETH inactive disposable arsenic of June 1, 2026.
A 2016 ICO That Never Paid Back
The funds originated from Hongcoin, besides referred to arsenic “The HONG,” a 2016 Ethereum-based task pitched arsenic a community-run decentralized concern fund. The ICO failed to deed its backing target, which should person triggered an automatic refund to contributors.
It did not enactment that way.
A bug successful the refund logic blocked astir investors from claiming their ETH. The declaration compared each investor’s token equilibrium against a planetary counter. Partial refunds implicit the years had reduced that antagonistic to 356, capping immoderate further refunds astatine conscionable 3.56 ETH per holder. Most of the 48 remaining investors held acold much than that. Their funds stayed locked.
The declaration address, 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, remains verifiable connected Etherscan.
The Exploit That Fixed It
0xflorent identified an integer-overflow vulnerability successful an admin-only relation tied to the Hongcoin team’s multisig wallet. The relation was primitively designed to mint bounty tokens but lacked overflow protections, a communal weakness successful pre-SafeMath Solidity codification from 2016.
Image source: X.By passing a circumstantial input value, the relation could reset an investor’s token equilibrium to 1, bypassing the refund cheque and allowing the declaration to merchandise the corresponding ETH.
Florent described it arsenic the “first white-hat exploit connected Ethereum,” noting that nary extracurricular attacker had immoderate inducement to usage it. The funds could lone travel backmost to the archetypal contributors. There was nary ownership takeover and nary theft vector.
How the Recovery Unfolded
Florent reached retired privately to the dormant Hongcoin squad by email. He validated the afloat unlock series connected a section Foundry fork of Ethereum mainnet earlier touching thing on-chain. The team’s multisig past signed 41 transactions, 1 for each blocked holder requiring a equilibrium reset. Seven holders with smaller balances could assertion refunds straight without the workaround.
The full process took astir 1 week.
As of June 1, 2026, each 1,003.62 ETH had been unfrozen. Two investors person already claimed a combined 96.5 ETH, worthy astir $193,000. They sent Florent a voluntary bounty. He took nary fees, nary cut, and nary commission.
Roughly 882 ETH remains disposable for the different investors to claim.
A Pattern of Whitehat Work
This was Florent’s 2nd publicized betterment successful 8 days. On May 24, helium returned 19.329 ETH, astir $40,590, from a 2018 ICO declaration and expired atomic swaps tied to a now-defunct wallet.
Florent uses customized scanning tools, including a self-hosted node, to find contracts holding much than 100 ETH. He noted that galore aged contracts are forks of 1 another, meaning vulnerabilities often cluster. He besides mentioned utilizing Claude Code to accelerate analysis, but cautioned that the instrumentality tin beryllium overly pessimistic astir contracts it flags arsenic uncrackable.
What This Means for Early Ethereum Holders
Hundreds of Ethereum smart contracts from the 2016 and 2017 ICO roar epoch inactive clasp locked funds. Most contributors wrote those balances disconnected years ago.
Florent’s enactment is simply a reminder that immoderate of those contracts inactive person a door, and idiosyncratic with the close tools mightiness find the key.
English (US) 