Ethical Hacker Frees $2M in Ethereum Trapped Since 2016 ICO Failure

Key Points

• Security expert “0xflorent” successfully freed approximately 1,003 ETH (valued at roughly $2 million) from a 2016 HongCoin ICO smart contract after nine years
• An error in the contract’s refund mechanism prevented investors from withdrawing their ETH when the ICO failed to meet its fundraising target
• The researcher collaborated with HongCoin’s team to leverage an integer overflow flaw in an administrative function to release the locked assets
• 48 initial investors are now able to retrieve their ETH; two participants have already withdrawn 96.5 ETH (approximately $193,000)
• The researcher accepted no compensation — only voluntary “whitehat rewards” from grateful investors

A cybersecurity expert has successfully released approximately 1,003 Ether valued at around $2 million that remained trapped in a 2016 ICO smart contract for almost ten years.

The cryptocurrency belonged to participants in HongCoin, an Ethereum-based token offering marketed as a community-driven investment vehicle. The ICO operated from August 29 through October 28, 2016, but ultimately fell short of its fundraising target.

Following the unsuccessful sale, the smart contract should have automatically returned funds to investors. However, a coding error in the refund mechanism silently prevented this from occurring.

The cybersecurity professional, identified online as “0xflorent” or Florent, detailed the technical problem in a social media post on X. The refund mechanism would decline any token holder whose balance exceeded a global tracking variable. Through years of partial withdrawals, this counter had decreased to 356, effectively limiting total refunds to merely 3.56 ETH — significantly less than what most participants were entitled to receive.

The contract was developed using an outdated version of Solidity, the coding language for Ethereum smart contracts. It lacked safeguards against integer overflow vulnerabilities — a defect where numerical values increase beyond their maximum limit and reset to zero or one. The blockchain industry subsequently addressed this weakness through SafeMath, a protective library.

The Recovery Process

Florent discovered a solution by utilizing the HongCoin team’s administrative function. Executing it with a particular input value reset a participant’s token balance to one, enabling the refund verification to succeed and releasing the ETH.

This wasn’t an independent exploit. The administrative function required authorization from the HongCoin team’s multisignature wallet, necessitating team approval for each transaction. Florent contacted the team via email, validated the solution on a test network, and the team subsequently approved 41 transactions — one for each affected investor. The entire operation required approximately one week.

Among the 48 qualified investors, 41 required the balance adjustment. The remaining seven held sufficiently small amounts to receive direct refunds.

Two participants have already withdrawn a total of 96.5 ETH, worth approximately $193,000. Both voluntarily compensated Florent with whitehat rewards, though no payment was obligatory. “There were no fees, no cut, no commission,” Florent stated to The Block.

Ongoing Recovery Efforts

This isn’t Florent’s inaugural recovery operation. On May 24, he documented liberating 19.33 Ethereum from two different legacy contracts — a defunct 2018 ICO and a Liquality Wallet account whose assets were stuck in expired atomic swaps.

Florent explained that he recently deployed his own Ethereum node and developed a scanning tool to identify contracts holding over 100 ETH. He then systematically reviewed candidates searching for exploitable weaknesses.

He also utilized Claude Code to assist with sorting and categorizing contracts, though he acknowledged the AI platform has limitations when directly analyzing smart contract security flaws.

The post Ethical Hacker Frees $2M in Ethereum Trapped Since 2016 ICO Failure appeared first on Blockonomi.