Whitehat Unlocks $2M Stuck in 2016 ETH ICO Contract
Security researcher 0xflorent recovered 1,003.62 ETH (~$2M) locked in a HongCoin ICO contract for nine years by exploiting an integer overflow with the team's cooperation, enabling 48 investors to claim funds.
Quick Take
1,003.62 ETH recovered via integer overflow in admin function.
48 original investors eligible; two already claimed 96.5 ETH.
HongCoin multisig signed 41 transactions to execute the fix.
Second whitehat recovery by 0xflorent in eight days.
Market Impact Analysis
NeutralWhitehat recovery narrative reinforces trust in Ethereum's security, but has no direct market-moving impact.
Speculation Analysis
Key Takeaways
- 1,003.62 ETH (~$2M) recovered from a 2016 ICO contract via an integer-overflow exploit.
- 48 original investors are eligible to reclaim their funds after nine years.
- Two investors have already withdrawn 96.5 ETH (~$193,000) since the fix.
- The recovery required 41 transactions signed by the HongCoin multisig team.
- This marks 0xflorent’s second whitehat rescue in eight days.
What Happened
A security researcher known as 0xflorent unlocked $2 million in ether trapped for nine years in a 2016 HongCoin ICO contract. Working with the original project team, he exploited an integer-overflow vulnerability in an admin function that had never been fixed. The operation freed 1,003.62 ETH, enabling 48 original investors to claim refunds from the failed token sale. Two have already withdrawn 96.5 ETH, worth roughly $193,000. The recovery was entirely coordinated: 0xflorent tested the exploit on a fork of mainnet, and the HongCoin multisig signed the 41 necessary transactions to reset investor balances and bypass the buggy refund logic.
The Numbers
The HongCoin contract held 1,003.62 ETH, valued at approximately $2 million at current prices. The refund mechanism had a critical bug: a global refund counter stuck at 356 limited individual refunds to 3.56 ETH, regardless of actual contributions. By exploiting the integer overflow in an unprotected admin function, 0xflorent reset balances to one, allowing the full amount to be claimed. In total, 48 investors are eligible. As of the announcement, two had claimed 96.5 ETH. The HongCoin team’s multisig signed 41 transactions to enable the recovery, while seven other holders with small balances could refund directly without the workaround.
Why It Happened
The root cause lies in the primitive state of smart contract development in 2016. Solidity, Ethereum’s programming language, lacked built-in overflow protections until version 0.8 in 2020. The HongCoin contract’s refund logic capped payouts using a global counter that was decremented with each refund but never incremented if new contributions came in. This created a bottleneck. Additionally, an admin function that should have allowed manual corrections had no safeguards against integer overflow, making it exploitable. The bug went unnoticed for nine years until 0xflorent identified it.
Broader Impact
This recovery reinforces a positive narrative in crypto security: that whitehat researchers and project teams can collaborate to fix ancient vulnerabilities. While DeFi exploits have drained billions, this case shows that locked funds can be rescued with technical ingenuity and cooperation. It also highlights the risks of legacy contracts that remain on-chain without active maintenance. For investors, it’s a reminder that even old, abandoned projects can still hold value—especially if the code contains forgotten backdoors.
What to Watch Next
- Monitor whether the remaining 46 investors claim their funds, and how quickly.
- Other similar 2016-era ICO contracts may hold locked ETH; whitehat researchers may target them next.
- 0xflorent’s recent flurry of recoveries suggests a rise in proactive security audits of dormant contracts.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
