White Hat Hacker Recovers $2 Million in ETH Locked in 2016 ICO Smart Contract

TLDR

• A security researcher called “0xflorent” recovered ~1,003 ETH (worth ~$2M) stuck in a 2016 HongCoin ICO contract for nearly a decade
• A bug in the refund function blocked investors from getting their ETH back after the ICO failed to hit its funding goal
• Florent worked with the HongCoin team to exploit an integer overflow vulnerability in an admin function to unlock the funds
• 48 original investors can now claim their ETH; two have already reclaimed 96.5 ETH (~$193,000)
• Florent received no fee — only a voluntary “whitehat reward” from two investors

A security researcher has helped unlock roughly 1,003 Ether worth about $2 million that had been stuck in a 2016 ICO smart contract for nearly a decade.

The funds belonged to investors in HongCoin, an Ethereum token sale that was pitched as a community-run investment fund. The ICO ran from August 29 to October 28, 2016, but never reached its funding goal.

When the sale failed, the smart contract was supposed to automatically refund investors. Instead, a bug in the refund function quietly blocked that from happening.

The researcher, known online as “0xflorent” or Florent, explained the technical issue in a post on X. The refund function rejected any holder whose token balance was higher than a global counter. Over the years, partial refunds had pulled that counter down to 356, capping total refunds at just 3.56 ETH — far below what most investors were owed.

The contract was written in an old version of Solidity, the programming language used for Ethereum smart contracts. It lacked protections against integer overflow errors — a flaw where a number climbs high enough that it wraps back around to zero or one. That vulnerability was later patched in the industry with a tool called SafeMath.

How the Funds Were Unlocked

Florent found a way through using the HongCoin team’s own admin function. Calling it with a specific input value reset a holder’s token balance back to one, which allowed the refund check to pass and released the ETH.

This was not a solo hack. The admin function was locked behind the HongCoin team’s multisig wallet, meaning the team had to sign off on every transaction. Florent emailed the team, tested the fix on a copy of the network, and the team then signed 41 transactions — one for each blocked investor. The whole process took about a week.

Of the 48 eligible investors, 41 needed the balance reset. The other seven held small enough amounts to be refunded directly.

Two investors have already claimed a combined 96.5 ETH, worth around $193,000. Both voluntarily sent Florent a whitehat reward, though no payment was required. “There were no fees, no cut, no commission,” Florent told The Block.

A Pattern of Recovery Work

This is not Florent’s first recovery. On May 24, he described freeing 19.33 Ethereum from two separate older contracts — a failed 2018 ICO and a Liquality Wallet user whose funds were trapped in expired atomic swaps.

Florent said he recently set up his own Ethereum node and built a scanner to find contracts holding more than 100 ETH. He then worked through candidates looking for exploitable flaws.

He also used Claude Code to help sort and cluster contracts, though he noted the AI tool has limits when it comes to analyzing smart contract vulnerabilities directly.

The post White Hat Hacker Recovers $2 Million in ETH Locked in 2016 ICO Smart Contract appeared first on CoinCentral.