A safety researcher who goes by 0xflorent labored with the staff behind a 2016 Ethereum (ETH) ICO contract to unlock about $2 million in ether that had sat trapped for 9 years, in a coordinated whitehat restoration that exploited an integer-overflow flaw the unique builders had by no means patched.
The contract belongs to HongCoin, a 2016 token sale that fell wanting its funding objective and was imagined to auto-refund traders’ ether however failed to take action due to a bug within the refund operate.
0xflorent’s path unfroze 1,003.62 ETH, with 48 unique traders now eligible to assert. Two have executed so, retrieving a mixed 96.5 ETH value roughly $193,000, he mentioned in an X thread Sunday.
First white-hat exploit on Ethereum: I unlocked 1,003.62
Ξ ($2,000,000) trapped in a 2016 ICO sensible contract
for 9 years.The 48 unique traders can now declare their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) Might 31, 2026
The contract’s refund logic rejected any holder whose token stability exceeded a world counter that years of partial refunds had dragged all the way down to 356, capping additional refunds at 3.56 ETH.
0xflorent discovered that an admin operate on the contract, restricted to HongCoin’s multisig pockets, lacked the integer-overflow protections later constructed into the Solidity programming language. Calling it with a selected enter worth reset a holder’s stability to 1, permitting the refund test to go and releasing the funds.
The restoration was not a unilateral exploit, nonetheless. As a result of the admin operate required HongCoin’s multisig to execute, 0xflorent emailed the staff, validated the unlock sequence on a take a look at fork of Ethereum’s mainnet, and the staff itself signed the unlock transactions.
It signed 41 transactions, one per blocked holder, releasing the roughly 1,000 ETH that was actually caught. One other seven holders held sufficiently small balances to refund instantly with out the workaround.
It’s the second such restoration 0xflorent has publicized in eight days.
On Might 24, he mentioned he had returned 19.329 ETH, value about $40,590, to its unique homeowners, together with 5.141 ETH from a failed January 2018 ICO and 14.190 ETH from seven expired atomic swaps in a Liquality Pockets person account that had change into inaccessible after the pockets shut down in 2024.
The restoration lands throughout a heavy stretch of DeFi exploits, with April alone seeing a whole lot of hundreds of thousands of {dollars} drained throughout protocols, headlined by a roughly $293 million hit on Kelp DAO.