White Hat Unlocks $2M in ETH Frozen Inside a 2016 Bug

Nine years. Forty-eight investors. Two million dollars sitting on-chain, fully visible, completely unreachable.

That changed this week when security researcher 0xflorent posted a thread on X disclosing what he called the first white-hat exploit of its kind in Ethereum’s history. As 0xflorent posted on X, he had just unlocked 1,003.62 ETH, worth roughly $2 million, trapped inside a broken 2016 ICO smart contract belonging to HongCoin.

The Bug Nobody Fixed for Nine Years

HongCoin launched in August 2016 as a decentralized venture capital concept. The token sale collected ETH from 48 participants but never hit its funding target. The contract was supposed to handle that automatically, refunding every contributor once the raise fell short.

It did not. A flaw in the refund logic quietly broke the mechanism from the start. As 0xflorent explained on X, the contract held all the investors’ ETH and was built to auto-refund them, but the bug in the refund function prevented that entirely.

What made the bug particularly stubborn was its structure. A global counter inside the contract had been dragged down to 356 through years of partial refunds, capping any new refund at 3.56 ETH. Larger holders were fully blocked. The contract address, 0x9fa8fa61a10ff892e4ebceb7f4e0fc684c2ce0a9, stayed live on-chain the whole time. Anyone could see the ETH sitting there. Nobody could move it.

Part of why it survived nine years untouched comes down to timing. Solidity, Ethereum’s programming language, did not add built-in integer-overflow protection until version 0.8.0 in December 2020, four years after HongCoin’s contract was deployed. The tools to catch this class of bug simply did not exist when the code was written.

One Function. One Specific Input.

The exit route turned out to be the contract’s own admin function. As 0xflorent shared on X, that function contained an integer overflow vulnerability. Calling it with a specific input value reset a holder’s token balance back to one, which let the refund check pass and released the ETH.

That admin function was restricted to HongCoin’s multisig wallet. 0xflorent could not execute it alone. He emailed the HongCoin team, validated the full unlock sequence on a Foundry mainnet fork, then handed the recovery path over. The team executed 41 transactions, one per blocked holder, between May 26 and May 30. Seven investors held small enough balances to be refunded directly without the workaround.

All 48 original investors can now claim their funds.

Two have already done so. Per on-chain data cited by 0xflorent on X, one investor recovered approximately 96 ETH, worth around $192,500. Another received 0.5 ETH. The unlock transactions are publicly visible on Etherscan.

0xflorent accepted no set compensation. Investors chose to send white-hat bounty donations voluntarily.

This Was Not a One-Off Search

What most coverage of this story has skipped past is what 0xflorent was doing before he found HongCoin. According to MoneyCheck, the researcher had deployed his own Ethereum node infrastructure and written custom scanning software to systematically identify smart contracts holding more than 100 ETH. He runs those contracts through a checklist, screening each for exploitable weaknesses. HongCoin was a find, not a chance discovery.

That matters for anyone who participated in a 2016 to 2018 era token sale and never received a refund. Legacy contracts from that period were written before SafeMath libraries and before Solidity’s built-in overflow guards. A significant number may still hold stranded ETH. The HongCoin recovery, as 0xflorent noted, works specifically because only original investors can claim the released funds. There is no drain route for a third party attacker.

For early ETH holders across emerging markets who sent money into ICOs that never launched, including many who contributed through exchanges operating across East Africa at the time, this case sets a procedural template. Researcher finds flaw. Team verifies. Multisig executes. No keys compromised.

The question now is how many more contracts like this one are still sitting on Ethereum’s ledger, frozen and full.