A white-hat researcher helped recover 1,003 ETH locked in HongCoin’s failed 2016 ICO after finding a flaw that restored refunds for 48 investors.
Author: Akshat Thakur
31st May 2026 – A security researcher has unlocked 1,003.62 ETH worth approximately $2 million from a 2016 ICO smart contract that trapped investor funds for nine years.
High Signal Summary For A Quick Glance
GoldenRatio
@v1nnyEth
@0xFlorent_ Great job! Nice to see some positivity on the timeline.
First white-hat exploit on Ethereum: I unlocked 1,003.62 Ξ ($2,000,000) trapped in a 2016 ICO smart contract for 9 years. The 48 original investors can now claim their funds. https://t.co/lyh5iyaDu7
02:17 PM·May 31, 2026
malshaalan 🇰🇼
@malshaalan
@0xFlorent_ the reason this stays rare is selection. you can only white-hat funds when the contract happens to have a quirk that lets you in. most trapped eth sits in code that is simply sealed, no bug to call and no exit to hit. recoverable is the exception, not the rule.
First white-hat exploit on Ethereum: I unlocked 1,003.62 Ξ ($2,000,000) trapped in a 2016 ICO smart contract for 9 years. The 48 original investors can now claim their funds. https://t.co/lyh5iyaDu7
02:07 PM·May 31, 2026
C.J.
@0xCeejay
@0xFlorent_ wtf this is amazing, wish we had more of this in this space instead of defi exploits every other week.
First white-hat exploit on Ethereum: I unlocked 1,003.62 Ξ ($2,000,000) trapped in a 2016 ICO smart contract for 9 years. The 48 original investors can now claim their funds. https://t.co/lyh5iyaDu7
01:47 PM·May 31, 2026
High attention and emotional sentiment detected.
The researcher, known as 0xFlorent_, discovered an integer-overflow vulnerability in the HongCoin ICO contract. After testing the exploit privately, he disclosed the exact path to the original HongCoin team. The team then executed 41 on-chain transactions to unlock all affected balances.
The 48 original investors can now call the contract’s refund function directly. The team did not need to deploy a new claim contract. Refunds flow to each investor’s original contribution address.
HongCoin launched its ICO in August 2016, raising ETH from investors through a smart contract at 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9. The project failed to reach its soft-funding goal.
The contract included an automatic refund mechanism for exactly this scenario. If the ICO failed, the project was required to give investors their ETH back. A bug in the refund function quietly broke that check, and the funds became permanently stuck.
For nine years, the contract held approximately 1,003.62 ETH with no documented recovery attempts. The original Bitcointalk announcement from August 2016 confirms the contract address.
The vulnerability sat in an admin-only function within the contract. This function contained an integer-overflow flaw typical of early Solidity code written before SafeMath became standard.
By calling the admin function with a carefully crafted large number, the overflow resets a holder’s recorded balance. Once that balance changes, the refund guard condition passes. The normal refund path then works as originally intended.
0xFlorent_ forked the contract locally and proved the exploit worked safely end-to-end. Rather than executing it himself, he shared the exact transaction payload with the HongCoin team.
“I tested it end-to-end and shared the path with the team that successfully executed the 41 unlock transactions earlier this week,” the researcher wrote on X.
Timeline of the HongCoin ICO Refund Recovery
HongCoin officially launches its ICO campaign on Bitcointalk. The project publishes its Ethereum crowdsale contract and begins marketing the token sale to investors.
Investors start sending ETH into the HongCoin crowdsale contract. The fundraising phase officially begins with the goal of reaching the project’s funding target.
The ICO fails to reach its funding goal. Although the contract was designed to automatically refund contributors, a bug in the refund logic prevents withdrawals, trapping approximately 1,003.62 ETH belonging to 48 investors.
The trapped ETH remains inaccessible for roughly nine years and seven months. No successful recovery path is discovered and the refund mechanism remains broken for all affected investors.
Security researcher @0xFlorent_ discovers an integer-overflow vulnerability in an administrative function. After testing the exploit locally, he privately shares the exact recovery path with the original HongCoin team.
The HongCoin team performs 41 on-chain recovery transactions from its controlled address. Each transaction triggers the integer-overflow reset and restores access to the previously blocked refund path.
On-chain activity shows successful refund calls and ETH transfers flowing back to affected participants. For the first time since 2016, investors regain access to their locked funds.
@0xFlorent_ publishes the full white-hat disclosure thread. All 48 original investors can now claim their proportional ETH refunds directly from the original HongCoin contract. No migration, portal, or replacement contract is required, and no claim deadline has been announced.
The unlocker address executed all 41 transactions between approximately May 28 and May 30, 2026. Each transaction called the vulnerable admin function for a specific holder or batch.
Refunds are already flowing. One recent transaction shows a 0.5 ETH refund to an investor. Another shows a 96 ETH internal transfer to a single address. The contract’s balance has dropped from 1,003.62 ETH to approximately 907 ETH as investors claim their share.
Investors simply call “Refund My Ico In…” on the original contract. The ETH transfers directly to them. No multisig or intermediary is involved.
0xFlorent_ describes this as the “first white-hat exploit on Ethereum.” While other white-hat recoveries have occurred, the combination of a 9-year lockup, a constructive exploit of a vulnerability, and coordinated team execution appears unprecedented.
The event sits in the broader context of Ethereum’s history with locked funds. The 2017 Parity multisig freeze permanently locked over 500,000 ETH. Those funds remain inaccessible today. The HongCoin recovery demonstrates that teams can still resolve some legacy contract issues, even years later.
Community reaction on X has been strongly positive. Replies call the effort “legendary” and “Ethereum at its best.” No disputes about the white-hat framing or fund ownership have surfaced.
Several questions remain open. The project has not clarified whether it has contacted all 48 investors, and it has not announced a claim deadline. Whether 0xFlorent_ received any bounty or compensation is unknown.
No public statement from the HongCoin team exists beyond on-chain acknowledgments and the researcher’s thanks.
The contract still holds approximately 907 ETH. Remaining investors can claim at any time by calling the refund function from their original address.
The 48 original investors now have a direct path to their funds. Each can call the public “Refund My Ico In…” function on the HongCoin contract. The refund sends ETH to the caller’s address, provided it matches an original contribution.
No new infrastructure is required. The original contract handles everything. After nine years, the auto-refund mechanism finally works as designed.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
White-Hat Exploit Unlocks 1,003 ETH Trapped in 2016 ICO
Alephium Bridge Exploited for $815K via Forged VAAs
Circle Freezes $12.6M in Zama’s Confidential USDC Contract
Arbitrum Foundation Seeks $43.5M in New DAO Funding
White-Hat Exploit Unlocks 1,003 ETH Trapped in 2016 ICO
Alephium Bridge Exploited for $815K via Forged VAAs
Circle Freezes $12.6M in Zama’s Confidential USDC Contract
Arbitrum Foundation Seeks $43.5M in New DAO Funding
Ethereum
$2010.74
