Whitehat developer unlocks $2 million stuck in a 2016 Ethereum ICO contract for nine years 0xflorent, a security researcher, found an integer-overflow flaw in the HongCoin token sale contract that lets the team unlock funds for 48 original investors.
It is the second such recovery he has publicized in eight days
What to know: – A security researcher known as 0xflorent helped the team behind a failed 2016 HongCoin ICO unlock about 1,003.62 ETH, or roughly $2 million, that had been trapped in its smart contract for nine years. – By coordinating with HongCoin’s multisig wallet holders, he used an unpatched integer-overflow flaw in an admin function to reset token balances and bypass a broken refund cap that had blocked larger withdrawals. – The recovery, which makes 48 original investors eligible to reclaim funds and follows another recent rescue by 0xflorent, comes amid a wave of major DeFi exploits that have drained hundreds of millions of dollars from crypto protocols. A security researcher who goes by 0xflorent worked with the team behind a 2016 Ethereum (ETH) ICO contract to unlock about $2 million in ether that had sat trapped for nine years, in a coordinated whitehat recovery that exploited an integer-overflow flaw the original developers had never patched. The contract belongs to HongCoin, a 2016 token sale that fell short of its funding goal and was supposed to auto-refund investors’ ether but failed to do so because of a bug in the refund function. 0xflorent’s path unfroze 1,003.62 ETH, with 48 original investors now eligible to claim.
Two have done so, retrieving a combined 96.5 ETH worth roughly $193,000, he said in an X thread Sunday. First white-hat exploit on Ethereum: I unlocked 1,003.62 — 0xflorent.eth (@0xFlorent_) May 31, 2026 Ξ ($2,000,000) trapped in a 2016 ICO smart contract for 9 years. The 48 original investors can now claim their funds. pic.