Researcher Cracks 2016 HongCoin Bug, Frees $2M in Trapped ETH

A white-hat researcher unlocked over $2M in ETH trapped in a 2016 HongCoin ICO smart contract, returning funds to 48 investors after nine years.

A 2016 Ethereum ICO called HongCoin never reached its funding goal. The contract was supposed to handle that issue. It didn’t. The smart contract had a broken refund function, and the money just sat there.

Nine years and roughly $2 million later, a white-hat researcher going by 0xFlorent_ on X announced what he described as the first white-hat exploit on Ethereum. 1,003.62 ETH, worth approximately two million dollars at current prices, had been sitting locked in that contract since the ICO era. The 48 original investors couldn’t touch it.

Nine Years, One Bug, $2M Nobody Could Touch

HongCoin was a fundraising project that ran during the ICO wave of 2016. It never hit its funding goal. The contract was designed to auto-refund contributors when that happened. According to 0xFlorent_ on X, a bug in the refund function quietly broke the mechanism. The ETH sat there. Nobody moved it.

It wasn’t theft. It wasn’t a rug. It was a broken door that looked closed from both sides. The investors had no path to reclaim funds, and the HongCoin team had no obvious way to push them back out.

The contract address, 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, had been holding that ETH in plain view on-chain the entire time. Anyone could see the balance. Nobody had a working way in.

41 Transactions Later, the Lock Finally Broke

The way out was an admin function with an integer overflow vulnerability. Calling it with a specific input value resets a holder’s balance and bypasses the refund check that had been blocking withdrawals. 0xFlorent_ posted the full breakdown on X, saying he tested the approach end-to-end before sharing it with the HongCoin team.

The team then executed 41 unlock transactions on-chain earlier this week. On-chain proof is visible at this Etherscan address. The ETH balance in the contract shows 1,003.624048369852000001 ETH, valued at just over $2,091,775 at the time of writing.

Source: 0xFlorent_ on X (Etherscan screenshot)

“Many thanks to the HongCoin team for trusting the approach and executing the on-chain recovery,” 0xFlorent_ said on X. The team, for their part, didn’t ask too many questions about the method.

What the HongCoin Contract Got Wrong in 2016

Integer overflow bugs were a common problem in early Ethereum contracts. Before Solidity added built-in overflow checks, developers had to add them manually. Many didn’t. An admin function that wasn’t intended as the exit point contained one of these weaknesses in the HongCoin contract. It turned into the only exit.

The broader picture tells a different story from most crypto exploits. This wasn’t a drain. 0xFlorent_ found the flaw, didn’t take the money, and handed the path to the team. Investigators rarely recover dormant on-chain funds like this. The decade-old ETH wallet activity that surfaces in 2026 usually draws far less cooperative outcomes.

The 48 investors can now claim their ETH. How many will still have access to the original wallet addresses from nine years ago is another matter entirely. On-chain data confirms that the funds are unlocked.

The post Researcher Cracks 2016 HongCoin Bug, Frees $2M in Trapped ETH appeared first on Live Bitcoin News.